The high-profile data breaches of 2014 have driven some organizations to make further investments in network monitoring and data protection. Much of the new spending, however, may be on process improvements and staffing to get the most value out of existing security technologies already in place, according to a new survey.
Organizations are creating incident response teams and updating policies and procedures, according to the Ponemon Institute study, "2014: A Year of Mega Breaches," which surveyed 735 IT and IT security professionals. More than 55 percent of survey respondents indicated they created an incident response team as a result of the data breach hysteria, according to the survey, sponsored by data management and loss prevention vendor Identity Finder.
In addition, organizations conducted training and awareness activities, established data security effectiveness metrics, and reassessed missing or outdated policies and procedures, the study found. Sixty-seven percent of respondents said their organization made sure the IT function had the budget necessary to defend it from data breaches. Spending is going into identifying tools and personnel to prevent a breach and identify better ways to detect and contain a security incident quickly.
The massive Target breach at the end of 2013, which impacted 70 million consumers, made security issues top of mind within corporate executive boards and senior management at organizations. Target's CIO and CEO, both veterans, stepped down from their positions at the retailer. The move made senior management more concerned than ever about the state of their organization's information security program.
"After the Target incident, respondents say it became much more of a concern for senior management. Fifty-five percent of respondents rate senior management's concern as extremely high,” according to the report. "Prior to the Target breach, only 13 percent of respondents believed senior management was extremely concerned."
Solution providers said the Ponemon survey documents what they are seeing from existing clients and prospective clients eager to make security improvements. Organizations are spending to bolster their security information and event management (SIEM) platforms, according to the survey. Other technology areas that are becoming a priority are intrusion detection and prevention systems, data encryption, and tokenization and Web application firewalls.
IT teams need to do their due diligence when making the case for a new technology investment, including planning out who will manage it and how it will be maintained over time, said John Wondolowski, CTO of Mill Valley, Calif.-based Chouinard & Myhre Inc., a security solution provider. Wondolowski said he is seeing organizations increasingly add on SIEM capabilities to get more out of prior investments.
"Organizations need to define their risk profile with respect to their competitors and then assess which areas need the most attention," Wondolowski said. "It's all about reducing the attack surface as much as possible where it matters most."
Forty-five percent of respondents surveyed in the Ponemon study indicated that their organization had one or more data breaches in the past 24 months. Lost reputation, brand value and marketplace image suffered the most as a result of the breaches, followed by lost time and productivity.
Organizations also are failing to identify the origin of a breach and respond quickly, according to the survey. Fifty-five percent of those surveyed said their organization could not determine where the breach happened. Thirty-two percent said the breach stemmed from the on-premises data center and 30 percent pointed to an off-premises data center as the origin of the security lapse.
Breaches were discovered accidentally, according to 46 percent of those surveyed. Automated monitoring also played a role in aiding detection.
Incident response processes need to be reviewed regularly and tested, said Rick Doten, a former CISO who is now chief of cyber- and information security at Arlington, Va.-based consultancy Crumpton Group. A thorough review should take into account where the company's most sensitive data resides and identify the likely paths of entry for an attacker, Doten said.
"You can either spend money on technology or spend money on people to be able to do that analysis and understand the business," Doten said. "The most important thing is prioritizing what you need to spend money on, and part of that is based on the potential business impact if a system is breached and data is lost."
PUBLISHED JAN. 26, 2015