Data Breach Risk Brief: CISO or employee error? Four lessons

Benjamin Redfield

We analyzed real-time data from over 700,000 servers and employee computers and documented the results in the MAX Risk Intelligence Data Breach Risk Brief 2015. Here are results and a few hard lessons learned:

iScan_analytics_brief_cover.jpgThe employee results were a little shocking, even to us. 

  • 87% of the desktops and laptops in the report had unprotected credit card data stored on them.
  • 95% of desktops and laptops will cost more than $25,000 if breached, 3% will cost more than $250,000 each. 
  • The highest risk we found on a desktop? $300 million. Million!

Click here to read the full MAX Risk Intelligence Data Breach Risk 2015 Brief.

Lesson #1: Employees are beyond your control.

We hear most security leaders saying that they already know where their 'crown jewels' of assets reside. But the results from employee computers show otherwise, even for the most dedicated and experienced CISOs.

That's because even the most advanced perimeter protection cannot control unsafe employee behavior. It's not just malware, it's employee productivity tools like DropBox, thumb drives, and email that cause unprotected data to run rampant.

Lesson #2: A handful of 'Worst Offenders" can cause serious damage to you bottom line.

Let's run a scenario for a medium-sized business, say 250 people. If 3% have between $250,000 and even $1 million in data breach risk, that means that just a handful of laptops would cost the company millions if a breach occurs.

Security leaders must look beyond their crown jewels to find millions in dollars of risk. 

Lesson #3: Financially prioritizing risk tells you where to put your finite resources first.

This isn't a sales pitch, but it's why we know this works.... 

iScan’s patented technology scans even the largest server and most remote device to detect data breach risk missed by other security solutions. Our customers gain visibility into data breach risk with MAX Risk Intelligence’s triple-threat detection (data, vulnerabilities and access permissions). 

Once the data breach risk is detected, we automatically calculate the cost of the device if breached by weighting the real-time data breach risk with an industry standard dollar figure. We call this cost the Security Number.

Here's the lesson. Our CISO customers can identify the servers, computers and even mobile devices that are the 'Worst Offenders' – the ones that will cost millions if breached – and remediate those first. No one has endless resources, so being able to prioritize by dollar value is super efficient.

Lesson #4: Put a dollar number on risk to get the attention of employees (and executives)

Putting a dollar Security Number on data breach risk creates an effective connection with non-technical executives. You can now:

  • Tie Security Numbers to measurable employee objectives
  • Guide the board on security oversight
  • Engage other executives on how security affects business outcomes
  • Justify security resource requests to the Chief Financial Officer 

Compare yourself to the Benchmarks.

You can find your Security Number right now with a limited-time trial.