Naavi.org

Key Findings of the Ponemon-2015 Data Breach Study…3
(In continuation of the earlier article..)

The IBM sponsored Ponemon Institute’s study of Data Breach Cost across 11 countries, released recently has brought out several interesting aspects that are relevant to Information Security and Cyber Insurance industry. The key findings are being presented here from the Indian perspective.

In the earlier articles we had observed that the average cost of data breach in India is Rs 3640 per record, the average number of data lost per incident was around 18983 and average gross loss per organization was Rs 9.49 crores.

We had also seen the industry wise distribution of losses and the factors that decrease or increase the loss.

In this article we shall explore the results of the study on components of cost and other issues.

According to the study, there are four important components of the cost of data breach as identified by the study. They are

a) Cost of Detection and Escalation
b) Cost of Notification
c) Cost of Ex-Post response
d) Cost of lost business.

The biggest component of cost of data breach is the value of “Lost Business”. This is estimated at an average of $1.57 million. The next biggest component is the Ex-Post response at $1.07 million followed by cost of detection and escalation of $0.99 million and $0.17 million in terms of notification costs. In terms of percentages the four components mentioned above seem to constitute 26%, 4%, 28% and 41% respectively.

In the Indian context where the average loss is Rs 9.49 crores, the components of the cost appear to suggest that the loss of business amounts to Rs 3.8 crores, Ex Post expense amounts to Rs 2.6 crores, cost of detection and escalation amounts to Rs 2.46 crores and cost of notification amounts to Rs 38 lakhs.

The study therefore clearly indicates that there is a significant loss of business that the business may expect if hit by a data breach incident.

In terms of the probability of a data breach, the study does try to throw some light in terms of how the probability may increase or decrease with the availability or otherwise of comprehensive information security measures. It comes to the conclusion that large scale data breach incidents can be significantly reduced with good BCM measures.

While some of the statistics may be debated whether they can be applied directly to the Indian context or not, we can say that the study is one of the best available indicators of the financial risks that an organization may face on account of data breach. This is extremely significant to the India Cyber Insurance Survey 2015 that is being undertaken.

The Ponemon study indicates that there is a good reverse correlation between Information Security and data breach loss. Better the information security, lower is the cost. This should reflect also in the cost of insurance in the same manner. Better the information security, less should be the insurance cost. Whether such a correlation actually exists or not in practice when the Indian companies underwrite cyber insurance, is what the Cyber Insurance study may reveal.

However, what is clear in the Ponemon study is that the Information Security Industry has a high stake in the Cyber Insurance industry.

Unfortunately this aspect does not seem to have been appreciated fully either by the company managements nor the information security professionals. Both seem to think that Cyber Insurance decisions are decisions taken by the Finance department and the Information Security professionals are not often part of the decision making process and hence donot influence the decisions regarding insurability or fixation of premium. Probably the India Cyber Insurance study will throw some light on who are normally involved in the decision making process when a company is contemplating a Cyber Insurance cover.

Naavi

Copy of the Report

Key Findings of the Ponemon-2015 Data Breach Study…2
(In continuation of the earlier article..)

The IBM sponsored Ponemon Institute’s study of Data Breach Cost across 11 countries, released recently has brought out several interesting aspects that are relevant to Information Security and Cyber Insurance industry. The key findings are being presented here from the Indian perspective.

In the earlier article we had observed that the average cost of data breach in India is Rs 3640 per record, the average number of data lost per incident was around 18983 and average gross loss per organization was Rs 9.49 crores.

In this article we shall explore the results of the study on the industry wise distribution of data breach loss.

Health Sector Suffers the highest loss:

The highest loss was suffered in the Health Sector industry where the average loss was $363 mllion. This was followed by Education at $300 million, Pharmaceuticals at $220 million, Financial at $25 million, Communications at $179 milion and Retail at $165 million. Technology industry suffered a loss of $127 million

It may be observed that the health care and pharmaceuticals which are well regulated under laws such as HIPAA have recorded the highest loss. This only indicates that the regulation has created greater awareness which has led to greater claims being made. But what is surprising is that the Financial industry has shown a relatively lower level of loss compared to health sector. This perhaps indicates the positive impact of better information security management.

Root causes for data breach:

An analysis of the root causes of data breach indicate that 47% of the data breach incidents occurred due to malicious or criminal attack while 29% was due to system glitches and 25% due to human error.

In terms of the losses, the malicious attacks resulted in an average loss of $170 per record, while system glitch cost $142 and Human error, $137 per record.

What Corporates need to understand in this observation is that there are attackers who are targeting them with malicious intentions and there is no room for complacency. Also, losses in 43% of cases due to system glitches and human error is also a matter of concern for the management since these are considered “Avoidable”. In other words, this loss can to some extent be attributed to the “negligence” of the companies themselves.

Speaking specially in terms of India, the cost on account of malicious attacks was Rs 4615 ($71) per record, while on System glitches, it was Rs 2925 ($45) and on human error, it was Rs 3185 ($49). This constituted 38%, 30% and 32% respectively.

Factors that impact the data breach cost

The study indicates that the following factors may have a positive impact and reduce the data breach cost per document.

i) Incident Response Team : $12.6
ii) Use of Encryption: $12.0
iii) Employee training :$8.0
iv) BCM involvement :$7.1
v)CISO appointment::$5.6
vi) Board level involvement: $5.5
vii) Insurance Protection: $4.4

The study also indicates that losses increase on account of the following factors.

i) Third-party involvement : $16
ii) Lost or stolen devices: $9.0
iii) Rush to notify:$8.9
iv) Consultants engaged:$4.5

Impact on Cyber Insurance

The observations recorded in the study may impact the Cyber Insurance Industry in India in the following manner.

a) Industries such as  may be charged a higher premium than other industries.
b) Losses on account of human errors and system glitches could be scrutinized in a forensic analysis and rejected if any negligence is found in the survey.
c) Companies which have taken special measures to reduce human error through apparently effective training may get a rebate measured against the expenses incurred for training.
d) Outsourcing of operations may increase the cost of insurance

P.S: An interesting offshoot of the study is an indication that appointment of a CISO reduces the organizational cost of data breach by an average of Rs 67 lakhs. May be this is an indication of the remuneration package an average CISO should enjoy? …

(..to be continued)

Naavi

Copy of the Report

Key Findings of the Ponemon-2015 Data Breach Study-1

The 2015 IBM sponsored Benchmark study by Ponemon Institute LLC on the cost of Data Breach has now been published and makes some interesting observations which we summarise below.

This findings of the previous (2013) study were discussed in this site earlier and the current study helps us track the changes.

The 2015 Ponemon study is a collection of data across 11 different countries over a period of 10 months. Around 350 companies have particiapted in the study. India was part of the study. To be more relevant, we have tried to presnt most of the data in INR terms using Rs 65 as conversion rate.

In the context the undersigned along with a few other IS professionals has undertaken a “India Cyber Insurance Study”, the findings of this data breach cost study is extremely useful.

What is the cost of Data Breach?

The first parameter to observe is the the cost of a data breach per record and for an organization on an average. The consolidated average cost of breach per data was $154 or Rs 10000. However, there was a significant difference from country to country in this respect. While the loss in US was $217, in Germany it was $211 and Canada it was $207.

On the other hand the loss in India was only $56 or Rs 3640.

It is obvious that in India where the data owners donot have proper legal options to pursue data breach related losses and also that culturally we donot value Privacy as much as in the west, the Indian Companies may have a lighter burden of the data breach losses. This is not an indication that India has better Information Security nor that cyber attacks here are lower.

It can be observed that the data breach losses in India have increased from Rs 2405 in FY 2013 ($37) to Rs 3315 ($51) in 2014 and to Rs 3640(56) in 2015. This represents a near 50% increase in the two year period between 2013 to 2015 and a 10% increase in the last year.

The total organizational cost of data breach on the other hand was an average of $3.79 million on a global scale. Even here, the US topped the list with a loss of $6.53 million while in India the loss was $1.46 million (Rs 9.49 crores).

In India the total organizational loss was Rs 6.5 crores ($1 million) in 2013, Rs 8.9 crores in 2014 and now it has grown to Rs 9.49 crores.

Average number of data records lost was around 28000 in US and around 18983 in India.

Implications on Cyber Insurance-Problem of Under Insurance

In the Cyber Insurance Context, the findings of the Ponemon study indicates that

a) Companies in India are exposed to the risk of loss on account of data breach to the extent of Rs 10 crores on an average.

b) The per record cost which a Cyber Insurance policy should cover is around Rs 3640.

c) The Cyber Insurance policy cover which an organization should aim for is therefore the number of data records multiplied by the expected average loss on account of a breach. This will be the “insurable value of the data”.

The availability of data such as what has been published by Ponemon would introduce some elements of uncertainty to companies which take Cyber Insurance unless they properly clarify the terms of the insurance with the Insurance company.

If an organization fails to value the data assets properly at the time of obtaining the insurance and get a confirmation from the insurance company, there may be a charge of under insurance.

For example, if any organization insures for less than the estimated value of the asset insured, then it would amount to “Under insurance” and in the event of a loss, it  would get covered only  for a proportionate value of the loss.

To be more specific, if an organization has 1 lakh data records, the insurable value would be Rs 36.40 crores . If it takes an insurance of say Rs 10 crore, (30%) then it would be considered as a co-insurer for the balance value of the insurable asset. Hence if this company suffers a loss of say Rs 1 crore, the insurance company may cover only 30 % of the loss and pay out Rs 30 lakhs/-

The premium charged therefore should be calculated with only such expectation and not with the expectation that the entire loss of Rs 1 crore would be covered.

It is necessary for the Insured and the Insurer therefore to define and record how the data assets would be insured and claim settled.

Perhaps a clarification is required from the Cyber Insurance Industry in India in this regard………(To Be Continued)

Copy of the Report

Naavi

Naavi has started a circle on www.localcircles.com, titled “Save Digital India From Cyber Fraud”. The objective of the circle is to get together people interested in collaborating a draft of “Cyber Fraud Prevention Policy” to be submitted to the Government.

I request those who are interested in this exercise to join the forum immediately so that we can start a fruitful discussion.

More Information is available here:

Why Do we need a Cyber Fraud Prevention Policy?

Naavi

On January 5 2002, the undersigned wrote on this blog “Declare a War on Pornography”. This was written in the aftermath of the arrest of Dr L.Prakash, a well known Orthopedist and an innovative industrialist who drifted into the world of criminality because of the lure of money around Cyber Pornography.

This site has consistently expressed an opinion that Cyber Pornography is bad and needs to be curtailed. The following articles are worthy of recall in this aspect.

Times of India group guilty under Sections 67,67A and 67B? Will …

Times of India.. Is it Set to Mislead the Public on Savita Bhabhi Issue?

What Do We Do with Obscenity in Times of India?

Govt Can Ban Porn websites for obscenity

The War on savitabhabhi.com needs to be continued

Cyber Pornography- We need to fight for a Clean Internet

Should we legalize por.n?

In all these articles we had strongly put up a view that Government needs to act strongly to put down Cyber Pornography. In fact when savitabhabhi.com was shut down, many blamed the undersigned being responsible for it and he had to face the wrath of many friends in the IT industry for supporting what is often considered as an archaic view.

Now today’s internet news talks of “#PornBan: Indian government reportedly starts blocking porn sites”.

There are similar reports in other websites and expected criticism from many quarters. I am sure many of my friends in the industry will consider this as an assault on personal freedom particularly after a recent Supreme Court verdict saying that Viewing Pornography by an adult is a “Fundamental Right”

Obviously, this will bring out many adverse reactions and Mr Arnab Goswami will cry “Here is an RSS Agenda”. Mr Digvijay Singh will second him along with Manishankar Iyer.

Let them keep shouting. I feel satisfied that the NDA Government has done a  good thing by this move though I am not sure how long this will last.

I remember having presented in the National IT Convention meeting of BJP in Chennai on 28th September 2008 several issues that BJP needs to address if it comes to power in the 2009 elections  including the issue of Cyber Pornography, National Cyber Army Command etc which are being discussed now .

I am however happy to observe that 13 years after Naavi gave a war cry, and 7 years after the direct interaction, the people who matter seem to have heard it.

I wish the Government will have the courage to withstand the pressures from the opposition and the media lobby and ensure that the Indian Cyber Space is cleaned of pornographic stuff.

Blocking pornographic sites is not only a moral issue but is also a Cyber Security issue. The move to block pornographic sites  will  eliminate one important virus dropping channel that the criminals tend to use often.

I wholeheartedly congratulate the Government on this move. I urge the Supreme Court not to interfere with this decision since it is a National Security issue.

Naavi

In a first of the kind verdict in JMFC Court, in District Pune, Khed, a Cyber Cafe owner was punished for not keeping the visiting register with an imprisonment of 15 days and a fine of Rs 10000/-

The conviction has been done under Section 67C of ITA 2008 and Section 188 of IPC.

Section 67C is for preservation of records and states as under:

Preservation and Retention of information by intermediaries

(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.

(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section (1) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Section 188 of IPC states as under:

 Disobedience to order duly promulgated by public servant.—

Whoever, knowing that, by an order promulgated by a public serv­ant lawfully empowered to promulgate such order,

he is directed to abstain from a certain act, or to take certain order with certain property in his possession or under his management,

disobeys such direction,

shall, if such disobedience causes or tends to cause obstruction, annoyance or injury, or risk of obstruction, annoyance or injury, to any person lawfully employed,

be punished with simple impris­onment for a term which may extend to one month or with fine which may extend to two hundred rupees, or with both; and

if such disobedience causes or trends to cause danger to human life, health or safety, or causes or tends to cause a riot or affray, shall be punished with imprisonment of either description for a term which may extend to six months, or with fine which may extend to one thousand rupees, or with both.

Explanation.—It is not necessary that the offender should intend to produce harm, or contemplate his disobedience as likely to produce harm. It is sufficient that he knows of the order which he disobeys, and that his disobedience produces, or is likely to produce, harm.

Illustration An order is promulgated by a public servant lawfully empowered to promulgate such order, directing that a religious procession shall not pass down a certain street. A knowingly disobeys the order, and thereby causes danger of riot. A has committed the offence defined in this section.

It is interesting to observe that under Section 67C, the Government of India has not notified any rules. There is however a rule for Cyber Cafe owners under Section 79. This requires formalities of “Registration” for which a Registration Agency should be there. This has not been notified by the Central Government.

However certain States might have issued notifications under either ITA 2000/8 or other State Laws where the record requirements might have been specified. If no such orders are there, it is difficult to see how Section 67C can be invoked.

As regards Sec 188 of IPC, some annoyance or injury must have been caused to a person (probably a public servant) by an act of disobedience of an order. Not sure if not maintaining the records per-se falls into this category.

However, other information available indicates that the Cyber Cafe owner had earlier sent a “threatening” email to the Police Commissioner. Probably this case was originally filed under Section 66A and later that section might have been dropped.

Any way it is interesting to note that Section 67C might have been invoked for the first time for a conviction. This needs to be taken note of by all Companies  since there could be many non compliance issues of record keeping under ITA 2000/8 of which all of them are guilty. The CISOs and CEOs need to watch their backs.

Naavi

An Android App Available on Google Store