Scott & Scott, LLPPage 1 Business Impact of a Data Breach Research Sponsored by Scott & Scott, LLP...
-
Upload
bryan-benson -
Category
Documents
-
view
219 -
download
0
Transcript of Scott & Scott, LLPPage 1 Business Impact of a Data Breach Research Sponsored by Scott & Scott, LLP...
Scott & Scott, LLP Page 1
Business Impact of a Data BreachResearch Sponsored by Scott & Scott, LLP
Julie Machal-Fulks
May 23, 2007
Scott & Scott, LLP Page 2
Survey Topics• Are organizations prepared to respond to breaches and
what remedial actions do they consider the most important?
• Do organizations measure the cost related to breaches?• What causes data breaches?• How have breaches affected organizations’ strategies for
preventing breaches?• Are there differences in the way pre-breach and post-
breach organizations approach prevention and detection of data breaches?
Scott & Scott, LLP Page 3
The sampleof 702 IT security
practitioners
Distribution of respondents by U.S. geographic regions
22%
19%
17%
14%
12%
16%
Northeast Mid-Atlantic
Midwest Southeast
Southwest Pacfic
Sample response Freq. Pct%
Total sampling frame 11762 100.0%
Email invitations sent 11053 94.0%
Bounce back 897 7.6%
Total surveys received 780 6.6%
Rejected surveys 78 0.7%
Final sample 702 6.0%
Scott & Scott, LLP Page 4
85% of respondents’ companies experienced a breach or security
incident
Bar Chart 1Data breach statistics for the present sample
85%
81%
78%79%80%81%82%83%84%85%86%
Companies experiencing the loss of personalinformation
Companies required to notify breach victims
Scott & Scott, LLP Page 5
42% of data breaches were caused by missing devices such as laptop
computersBar Chart 2
Probable cause of the data breach event
4%
6%
6%
7%
10%
16%
42%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Missing backup media
Malicious employees
Criminal activity
IT mishaps
Negligent third parties
Negligent employees
Missing devices
Scott & Scott, LLP Page 6
Are organizations failing to employ remedial measures to reduce the risk
of future breaches?Bar Chart 3
What organizations are not deploying after data breach
46%
46%
63%
63%
65%
65%
73%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Encryption solutions
Conducting training
Hiring outside counsel
Controlling system disposal
Identity & access management
Controlling endpoints
Event management tools
Scott & Scott, LLP Page 7
57% did not have an incident response plan in place when the
breach happened
Bar Chart 4Did you have an incident plan before the breach?
57%
77%
0%
20%
40%
60%
80%
100%
Did not have an incident response plan Did not engage outside legal counsel to draft orreview plan
Scott & Scott, LLP Page 8
Typical immediate response: prompt notification by letter
Bar Chart 5Immediate response to data breach
62%
47% 46%
22%
0%
10%
20%
30%
40%
50%
60%
70%
Prompt notification by letter Assessed harm to victims Offer credit monitoring services Prompt notification by telephone
Scott & Scott, LLP Page 9
81% of respondents have not calculated costs associated with
breaches
Bar Chart 6Cost included in analysis of data breach
28%
22% 21%17%
10% 10% 9%
0%
5%
10%
15%
20%
25%
30%
Cost to notifyvictims
Cost ofassistingvictims
Loss ofcustomers
P otentiallitigation
Cost to hireexperts
P otential fines Decline in sharevalue
Scott & Scott, LLP Page 10
Notification strategy: 37% notify everyone, regardless of potential
harm
Bar Chart 7Who needs to be notified?
37% 36%
14%
0%5%
10%15%20%25%30%35%40%
Notify everyone (over-report) Careful assessment beforenotifying
Notify only after absoluteconfirmation of harm
Scott & Scott, LLP Page 11
Majority of respondents do not believe that breach victims suffer
monetary damages
Bar Chart 8What percentage of breach victims experienced monetary damanges?
50%
20%
11%
0%
10%
20%
30%
40%
50%
60%
0% (no monetary damages) Betw een 1 to 2% Betw een 2 to 4%
Scott & Scott, LLP Page 12
Is management supportive of efforts to prevent data breaches?
Bar Chart 10Is senior management supportive?
80%
65%
0%
20%
40%
60%
80%
100%
Had a breach Did not have a breach
Scott & Scott, LLP Page 13
Breaches may impact spending on IT security
Bar Chart 9Percentage difference between companies that experienced a breach and
companies that did not experience a breach
54%
37% 37%
23%
54%
14%
27%
10%15%
9%
41%
2%
0%
10%
20%
30%
40%
50%
60%
Encryption Devices areproperlycleaned
Legal counsel Data leakprevention
Training andaw areness
Data inventory
Had breach Did not have breach
Scott & Scott, LLP Page 14
Breaches may change expectations about IT spending
How will IT security spending change in 2007?
40%
49%
11%
27%
53%
20%
0%
10%
20%
30%
40%
50%
60%
Increase No change Decrease
Had a breach Did not have a breach
Scott & Scott, LLP Page 15
Questions?
Robert J. Scott Julie Machal-FulksScott & Scott, LLP
2200 Ross Avenue, Suite 5350EDallas, Texas 75201
800-596-6176www.scottandscottllp.com