Posts Tagged ‘Ponemon Institute’
Tuesday, January 29th, 2013
Technology companies claimed half the slots on Ponemon Institute’s annual top 10 list of the most trusted companies for privacy. Hewlett Packard ranked second, Amazon, third, IBM, fourth, eBay ninth and Intuit tenth.
American Express (AMEX) continued to reign as the most trusted company among the 217 orgazations rated.
New tech entries on Ponmon’s top 20 most trusted list included Microsoft at 17, and Mozilla at 20.
In addition to ranking the most trusted companies, the Ponemon study reported that only 41 percent of consumers feel they have control over their personal information, down from 45 last year and an overall drop from 56 percent in 2006.
Identity theft a top concern
The survey also noted that identity theft is a top area of concern among consumers with fifty-nine percent of the respondents indicating that fear of identity theft was a major factor in brand trust diminishment, while 50 percent said notice of a data breach was a factor.
That could give impetus to the changes in U.S. immigration law proposed by a bipartisan group of Senators this week, although it’s identity card idea is already meeting with opposition from some.
The Ponemon rankings were derived from a survey of more than 100,000 adult-aged consumers who were asked to name up to five companies they believe to be the most trusted for protecting the privacy of their personal information.
Consumer responses were gathered over a 15-week period concluding in December 2012 and resulted in a final sample of 6,704 respondents who, on average, provided 5.4 discernible company ratings that represent 25 different industries.
Monday, August 6th, 2012
Year over year results from the Business Banking Trust Study show that SMBs are ongoing victims of account takeover and still piling up losses due to fraudulent ACH, wire and other transactions, according to Guardian Analytics, which sells behavior-based fraud prevention solutions, together with independent research firm, Ponemon Institute.
The most revealing findings are that, as a result of fraud, SMBs are not only losing confidence in their financial institutions’ fraud prevention practices (30 percent of responses), but are taking some or all of their banking business elsewhere (40 percent).
Nearly three-quarters of online fraud attacks successful
The study revealed that 73 percent of online fraud attacks result in the successful transfer of money. Despite efforts by financial institutions to recover funds, 61 percent of reported fraud attacks result in lost funds.
Reimbursement of losses varies – in some cases the business takes the full loss, in some instances losses are shared, and in one quarter of instances, banks reimburse the business fully for any losses. In the end all parties suffer significant financial loss as a result of fraud.
“The Ponemon Institute’s study clearly outlines the strategic impact that fraud has on a financial institution – lost profits and lost customers,” said Terry Austin, CEO, Guardian Analytics.
“Further, recent court cases have sided with businesses when it comes to fraud liability, emphasizing financial institutions need sound practices and security to protect customers from account takeover attacks.
“Fortunately, there are fraud prevention solutions that are proven to be effective, giving financial institutions a significant opportunity to restore trust with their customers by taking a more proactive stance in preventing fraud.”
Additional findings from the 2012 Business Banking Trust Study include:
SMBs are rapidly increasing their use of online and mobile banking.
- Fifty four percent of businesses now use mobile devices to access online banking, up from 23 percent in 2010
- The proportion of businesses doing all business banking online has more than doubled from 9 percent in 2010 to 20 percent in 2012
Fraud attacks against businesses are widespread
- Seventy four percent of SMBs have experienced electronic banking fraud
- Fifty two percent have been hit by fraud in past 12 months
SMBs expect their financial institution to be the expert, but think they’re not doing enough
- Seventy two percent indicate that they hold the FI primarily accountable for ensuring that their online bank account is secure
- However, only 43 percent say their FI takes appropriate action to limit risky transactions
There is room for improvement for all parties’ fraud prevention efforts
- Money left the financial institution before it was noticed in 73 percent of cases
- Year over year, businesses have not improved their own fraud prevention practices
Fraud losses result in lost business for FIs
- Fifty six percent of SMBs indicate that it would take only one successful fraud attack to lose confidence in their FI’s ability to provide adequate security
- Seventy percent of respondents indicate that online fraud – either successful or just attempted – diminished their trust and confidence in their FI or caused them to take some or all of their banking business elsewhere
“This year’s data confirms that SMBs are looking to their financial institution to be the expert on fraud prevention, and they have every right to do so,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Fraud techniques continue to evolve rapidly and financial institutions must continually monitor and update defenses to stay ahead of criminal activity. The FFIEC Guidance reinforces this by requiring layered security that, at a minimum, includes anomaly detection, plus risk assessments whenever something in the threat landscape changes, such as the discovery of another new threat.”
The Ponemon Institute’s 2012 Business Banking Trust Study, commissioned by Guardian Analytics with surveys completed in May 2012, provides insights into SMBs’ online banking behavior, their views of banks’ security practices, and the impact just one fraud incident can have on banking relationships. This year’s study was expanded to included sections on ACH payments, mobile banking, and wire transfers. It also provides recommendations for banks and businesses to prevent fraud and improve client trust.
Nearly 1,000 owners and executives of small-and-medium-sized businesses (SMBs) in the United States participated in the study.
Download the report here.
Wednesday, January 25th, 2012
Nearly everyday consumers willingly provide their personal information to organizations online with no hesitation, neglecting to realize how that information can be exposed due to employee negligence, insider maliciousness, system glitches or attacks by cyber criminals.
With Data Privacy Day (Saturday, January 28) right around the corner, Experian Data Breach Resolution and the Ponemon Institute released today compelling survey findings from more than 500 IT professionals who have experienced a data breach at their company.
“The responsibility of keeping customers’ information secure cannot lie solely on the shoulders of IT; rather every executive in the organization should be aware since the reverberation of a breach will be felt by everyone,” said Ozzie Fonseca, senior director at Experian Data Breach Resolution.
Data breaches often result from human error or crime
“Survey results show us that a data breach is often the result of human error or a crime– neither of which can be 100 percent prevented. As such, companies must put measures in place – training, preparedness plans, guidelines, etc. — to help protect their customers’ information.”
Survey respondents had 10.5 years or more of IT experience, with 73 percent reporting directly or indirectly to the chief information officer (CIO) or the chief information security officer (CISO). Also, to ensure that the answers were based on the same breach throughout the entire survey, respondents were asked to focus only on one data breach they believed had the greatest financial and reputational impact to their organizations.
“Data breaches are frequent and as a result millions of consumers are vulnerable to having their identity stolen,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute.
“IT professionals in this study are correct when they say that following the loss or theft of consumer data it is critical for companies to take steps to understand the root cause in order to prevent another breach and protect consumers from future harm.”
The study yielded compelling insights, found below, into how a company assesses the cause, reacts to the breach and evaluates next steps.
- Circumstances of a data breach – After the breach has occurred, there is an obvious immediate question – How did this happen?
- Sixty percent of respondents say the customer data that was lost or stolen was not encrypted.
- Examples of the types of data that companies lost included, but not limited to, email (70 percent), credit card or bank payment information (45 percent), and social security numbers (33 percent).
- If the organization was able to determine the cause of the breach, most often it was the negligent insider (34 percent); 19 percent say it was the outsourcing of data to a third party and 16 percent say a malicious insider was the main cause.
- Responses to the data breach – After the breach occurred, as with any crisis, response time to all stakeholders is imperative.
- Startlingly, only half (50 percent) of respondents felt that their organization made the best possible effort to protect customer and consumer information.
- When it came to reducing the negative consequences of the data breach, retaining outside legal counsel (56 percent) and carefully assessing the harm to victims (50 percent) ranked the highest.
- Despite the fact that many organizations lose the loyalty of their customers following a data breach, 64 percent of respondents say their company neglected to offer credit monitoring services and 73 percent say they don’t offer identity protection products or services such as credit monitoring and other identity theft protection measures, including fraud resolution, scans and alerts.
- Impact of the breach on privacy and data protection practices – As with any activity that makes a company vulnerable, the key is to figure out how to protect it from happening again.
- The majority of respondents (66 percent) say that the experience of investigating the causes of the breach will help them in determining the root causes of future breaches.
- Negligent insiders and third parties are the main (66 percent) reason organizations are vulnerable to future breaches.
- Following the data breach, 61 percent of respondents say their organizations increased the security budget and 28 percent hired additional IT security staff.
While respondents were candid with their feedback, they also offered suggestions as to how many of these issues could be addressed in an effort to mitigate future threats.
These resolution points include the following:
- EDUCATE: By far, negligent employees, temporary employees or contractors make organizations vulnerable to future breaches, so conducting training and awareness programs and enforcing security policies should be a priority for organizations.
- SUPPORT: Privacy and data protection became a greater priority for senior leadership following the breach, and as a result security budgets for most organizations in this study also increased. It doesn’t just take time; it takes monetary support as well.
- HIRE: The top three actions believed to reduce the negative consequences of the data breach are hiring legal counsel, assessing the harm to victims and employing forensic experts.
- LEARN: Lessons learned from the data breach are to limit the amount of personal data collected, limit sharing with third parties and limit the amount of personal data stored.
To access the full “Aftermath of a Data Breach” Report, visit www.Experian.com/PonemonAftermathStudy.
Monday, January 16th, 2012
Federal agencies want to embrace the cloud, but are anxious about a “nothing but cloud” approach and the complex security issues it raises, according to SafeGov.org, which surveyed more than 400 federal agency employees on the migration to cloud computing.
Conducted in September 2011 with Ponemon Institute, the survey focused on the Obama Administration’s Cloud First mandate. The results highlight need for the Office of Management and Budget (OMB) and the General Services Administration (GSA) to provide greater transparency about cloud security and more credible data about the true cost of cloud services.
“It is important that we assess Cloud First’s progress and how key agency decision-makers are embracing the vision,” said Dr.Larry Ponemon, Chairman and Founder of Ponemon Institute. “That was the goal of this research.”
The survey analyzes the current status of the Cloud First mandate and shows that many in federal agencies believe that it is a work in progress. Of the respondents, early compliance with the mandate is high, but incomplete.
Federal Agency Response to Cloud First Mandate
The survey notes significant push back from federal agencies on the transition as reflected by the following migration statistics:
- Eighty-three percent (83%) of respondents have fully or partially identified the first three applications they intend to migrate
- Twenty-five percent (25%) have fully migrated at least one legacy application to the cloud
- Forty-seven percent (47%) say their first migration is in progress
The majority of IT managers reported that the delay was due to concerns about the tight timelines imposed by Cloud First.
- Sixty-nine percent (69%) say the Cloud First framework is too fast
- Seventy-one percent (71%) say that pressure to move to the cloud is inadvertently creating greater security risks for their agency
Preferences for Transition to the Cloud
Concerns also remain high about the actual cost savings and overall security associated with cloud computing. A clear preference for using private clouds among survey respondents reflected ongoing apprehension about keeping sensitive data secure.
- Thirty-eight percent (38%) expect that their agency will be using a federal-only cloud in the coming year
- Twenty-eight percent (28%) expect to use a broader government cloud (open to all levels of government)
- Twenty percent (20%) expect to use a private cloud limited to their own agency
- Seventy-three percent (73%) want their servers to be physically isolated from those used by non-government customers
- Seventy percent (70%) want all cloud provider personnel who have access to their agency’s servers or data to pass rigorous background checks
“We know the transition to the cloud is going to happen. But this survey’s findings show that agencies are still in need of education on the cloud and how they will transition effectively. The key is for agencies to gather as much information as possible and work closely with their vendors to find the most cost-effective and secure option for their respective organizations,” said Jeff Gould, CEO and Director of Research at Peerstone Research and SafeGov.org expert.
Additional information on the Ponemon Institute’s survey results and a complete copy of the executive summary is available on SafeGov.org’s website at www.safegov.org.
Tuesday, March 8th, 2011
Symantec Corp. (NASDAQ: SYMC) and the Ponemon Institute today released the findings of the 2010 Annual Study: U.S. Cost of a Data Breach, which reveals data breaches grew more costly for the fifth year in a row. The average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009.
The study also found that for the second straight year organizations’ need to respond rapidly to data breaches drove the associated costs higher. The sixth annual Ponemon Cost of a Data Breach report is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors.
“We continue to see an increase in the costs to businesses suffering a data breach,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Regulators are cracking down to ensure organizations implement required data security controls or face harsher penalties. Confronted with both malicious and non-malicious threats from inside and outside the organization, companies must proactively implement policies and technologies to mitigate the risk of costly breaches.”
Key findings from the study include:
- Rapid response to data breaches is costing companies 54 percent more per record than companies that moved more slowly. Forty-three percent of companies notified victims within one month of discovering the breach, up seven points from 2009. In 2010, these quick responders had a per-record cost of $268, up 22 percent from 2009; companies that took longer paid $174 per record, down 11 percent.
- Malicious or criminal attacks are the most expensive and are on the rise. In this year’s study, 31 percent of all cases involved a malicious or criminal act, up seven points from 2009, and averaged $318 per record, up 43 percent from 2009.
- Negligence remains the most common threat. The number of breaches caused by negligence edged up one point to 41 percent and averaged $196 per record, up 27 percent from 2009. This steady trend reflects the ongoing challenge of ensuring employee and partner compliance with security policies.
- Companies are more vigilant about preventing system failures. System failure dropped nine points to 27 percent in 2010. This trend indicates organizations may be more conscientious in ensuring their systems can prevent and mitigate breaches through new security technologies and compliance with security policies and regulations.
- Data breach costs have continued to rise. The average organizational cost of a data breach this year increased to $7.2 million, up seven percent from $6.8 million in 2009. Total breach costs have grown every year since 2006. Data breaches in 2010 cost companies an average of $214 per compromised record, up $10 (5 percent) from last year.
- Encryption and other technologies are gaining ground as post-breach remedies, but training and awareness programs remain the most popular. Sixty-three percent of respondents use training and awareness programs after data breaches, down four points from 2009. Encryption is the second most implemented preventive measure as a result of a data breach, with 61 percent. Both encryption and data loss prevention (DLP) solutions have increased 17 percent since 2008.
Symantec recommends organizations implement the following best practices, whether or not they have suffered a data breach:
1. Assess risks by identifying and classifying confidential information
2. Educate employees on information protection policies and procedures, then hold them accountable
3. Deploy data loss prevention technologies which enable policy compliance and enforcement
4. Proactively encrypt laptops to minimize consequences of a lost device
5. Integrate information protection practices into businesses processes
The study, sponsored by Symantec and independently conducted by the Ponemon Institute, takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after-the-fact (ex-post) response. The study also analyzes the economic impact of lost or diminished customer trust and confidence as measured by customer churn or turnover rates.
The U.S. Cost of a Data Breach Study was derived from a detailed analysis of 51 data breach cases with a range of nearly 4,200 to 105,000 affected records. The study found there is a positive correlation between the number of records lost and the cost of an incident.
Companies analyzed were from 15 different industries, including finance, retail, healthcare, services, education, technology, manufacturing, research, transportation, consumer, hotels and leisure, media, pharmaceutical, communications and energy.
Companies can analyze their own risk by visiting Symantec’s Data Breach Risk Calculator. Based on six years of trend data, the calculator takes into account an organization’s size, industry, location and security practices to estimate how much a data breach would cost on both a per record and organizational basis.