Craig discusses the Cost of Data Breaches and IBM/Ponemon Institute Study and why Credential theft is a pre-eminent form of Cybercrime.
For more tech tips, news, and updates visit – CraigPeterson.com
Automated Machine-Generated Transcript:
[00:00:00] Welcome back, everybody we’re talking right now about IBM’s latest data breach report. What does it mean to businesses and you as a home user?
Of course, this is Craig Peterson that you’re listening to. You can get my weekly report by just going online. I have a newsletter. We have a whole ton of great information available for you. So check that out, make sure you subscribe and I’ve got well, it’s like four different free gifts. One of them is the most coveted gift that I’ve given out.
I’ve had so many great compliments on it and that’s your security reboot guide, but you’ll get that. If you sign up Craig Peterson.com/subscribe, I think you’re really, really going to like it. So we were talking about the IBM report before the break.
[00:01:00] Let’s complete that. Now, this is the cost of a data breach report, 2020, and it was done by the Ponemon Institute.
And then IBM did some analysis on it. So let’s look at the average total cost by security automation level. Fully deployed 2.4, $5 million. So if you fully deploy your security, if you have everything, your security team tells you. Yeah, you need a breach is going to cost you about two and a half million dollars.
If you’ve partially deployed like My customer here who had the breach coming in via Mexico. And so we had some stuff there, but not everything that we had recommended. And there is actually required by the federal regulations he’s supposed to be abiding by partially deployed the cost jumps from 2.4, 5 million
[00:02:00] to 4.1, $1 million, the cost of a breach.
So let me see right there. You save yourself almost $2 million, which is more than what it would cost you to do this, right? If you’re a small business and then not deployed at all, a breach is going to cost you about $6.03 million. Absolutely incredible. Now, where are the main parts of this cost while the customers personally identifiable information. So that’s things like there, their name, their email address, their phone number, a bank account numbers, maybe social security numbers maybe credit cards. Right? All of that is called PII and it’s the stuff that should not ever be disclosed. So if you’re a consumer, you kind of expect the business to keep that information confidential, right?
[00:03:00] here we go. Breaches that have customer identifiable information account for 80% of all of the breaches. Isn’t that sad? So 80% of the time when there’s a breach, somebody’s personal information is stolen. And the average cost per record customer record in a malicious attack is about $175 in case you’re not aware of it.
If you’re a retailer. A retailer is to find incredible amounts. I think right now it’s a minimum of $125 per credit card that they’ve taken. If it’s breached and they have credit card information on their systems. That’s a lot of money, but on average it costs about $175 per customer record. That’s stolen next up here on the screen green, and you’ll find this online
[00:04:00] again by searching for IBM and their 2020 data breach report, compromised credentials, and cloud misconfiguration.
Lead the way, well, compromised credentials. Hmm. What would those be? But how about you or username and password more and more businesses are moving to the cloud. And if you are using the same email address and you’re using the same password yet, you knew what I was going to say. Didn’t you for your accounts?
You’re in trouble. And that’s why I keep reminding people that they should go to have I been poned.com to check and see if their email address has been stolen and a breach I’m playing around, by the way, I almost guarantee it has unless you’ve got a very, very current email
[00:05:00] address. So 19% had these breaches came in through compromised credentials, other ways to do that.
Obviously nowadays fishing is a very, very big way that does some of this data is stolen, but these were the most expensive initial tech vectors, compromised credentials, and cloud misconfiguration. Now, you know how much I hate VPNs right now, there is a need for them. Don’t get me wrong. But. Almost always, it’s more of a problem than the problem you’re trying to solve using a VPN.
So one of the things we were talked about here just a couple of weeks ago was how the VPN data from, I think it was eight different VPN providers. Was found online, like 1.2 terabytes
[00:06:00] worth of personal information. Now, these are all VPN services that said we don’t log we’re not logging. Don’t worry.
We’re great. Here. You can trust us. We’re secure and we’re not logging. We’re not selling your data. What was discovered online in a misconfigured cloud server? All of the places you had been your password in the clear text your username. So they, they now, now that data are stolen anybody that was using one of them is free VPN services.
And I caution you against the paid ones as well, but anyone that was using one of these free VPN services is out of luck because the bad guys have your username that you use and your password. So again, that’s why I keep stressing, get one password. It’s the best bar, none one password. I don’t make a dime off of this.
Right. Uh, but one password
[00:07:00] and make sure you use different passwords every time and have one password generate them for you. I have one password generate passwords that are usually four or five words along. And then I have special characters between each one of the words, and those are almost impossible to crack.
It would take over a hundred years in most cases unless I’m using one of these VPN services that doesn’t bother encrypting my password. My day, wasn’t doing some sort of a Shaw hash or an MD hash or anything? No, no, no, no clear text. Okay. Uh, so 19% were from compromised credentials. 19% were from cloud misconfiguration and 16%.
We’re from vulnerability in third-party software. So the costliest initial attack, vectors compromised credentials, number one. So keep that in mind, everybody on you, with your home
[00:08:00] user, you’re a business user on that rudder heaven forbid you’re using a consumer router and firewall in a business. Don’t do it.
And in most cases, people never bothered to change the default username and password on their firewall. So bad guys get in 4.7, 7 million in dollars is the average cost with compromised credentials, amazing vulnerability and third party software, four and a half million dollars. And what does that tell you?
Patch. Remember when you’re talking about Microsoft and you’ve turned on the automatic updates on windows, all it’s going to update is windows and the core windows utilities. It’s not going to update your Adobe software, uh, you know, your photoshop and whatever third party. You know, engineering
[00:09:00] software, drafting, software, whatever.
It’s not going to automatically update them. And then it’s so many businesses are saying, well, okay, you have to run Windows XP or have to run windows seven because I can’t and get the latest version of the software. The company went out of business or it’s too expensive. And then number three, cloud misconfiguration.
So both vulnerability and third-party software. And club misconfiguration accounts for about a four and a half million dollar breach each real big deal.
So stick around, we’re going to go through some more here.
I enjoy being with you. Thanks for being with me. We will be right back.
You’re listening to Craig Peterson.
More stories and tech updates at:
Don’t miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text: