We all know some of the ancillary costs of data breaches. The loss of face in the community, the loss of faithful customers who no longer believe a company safe to work with, the loss of time spent repairing a system and augmenting it to face future breaches are all a part of the package.
The Cisco report found that, for over a third of organizations who suffered data breaches in 2016, the costs associated with these passed 20 percent of revenue. That doesn't even include the loss of customers and opportunity associated with these breaches; such figures are hard to concretely measure. The study also found that just over 20 percent of breached organizations lost customers, and 40 percent of those lost over a fifth of the current customer base.
Better yet, companies were already taking action before the report was announced. Ninety percent of breached organizations are improving defensive technology and processes following the attacks, and using a variety of measures to do so. Better than one in three are separating information technology (IT) and security departments, while 37 percent are adding risk mitigation strategies to normal operations. Thirty-eight percent, meanwhile, are stepping up security awareness training for employees.
Yet even here there are some faults to note: just over half—56 percent—of all security alerts are investigated. Not even half of legitimate alerts are actually addressed. This suggests not so much laxity, but rather that there are too many alerts to address. Issues of complexity are playing a part, and businesses are finding themselves strapped for sufficient personnel to tackle threats.
A real good news / bad news sort of situation has emerged here; companies are being hit, and hard, by data breaches, yet few companies are taking this lying down. While there is some clear discrepancy between threats known about and threats acted upon, there has to be a certain amount of lag, otherwise hackers could just threaten companies into oblivion by having them chase their collective tails at nonexistent threats. In fact, based on the numbers here, there's little to do but call for the standard increased vigilance while noting that there's not much farther up it can go without a significant expansion that might cost about as much in revenue to defeat.
About the only thing left to do is call for improvements in threat detection, so that the false positives can be better winnowed out and the real problems responded to in more focused fashion. It's worth doing, however, based on the numbers we've seen so far.
Next week’s ITEXPO business technology event in Fort Lauderdale, Fla. will feature a number of sessions related to security - from cloud to VoIP and identity protection. There’s still time to register- hurry!