Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Co3 Tackles One Of Security's Hidden Costs

Billions are being spent annually on protecting information, but Co3 Systems is offering a unique solution for what to do after a data breach occurs. The Cambridge, Mass., software-as-a-service (SaaS) startup is announcing an automated, repeatable way to prepare for data loss events, assess their potential impact, and generate and manage incident response plans more efficiently. Its solution can cut incident response process time by as much as half, and can significantly reduce the risk, expense and resources associated with data loss events, says the company.

According to Gartner, the 2010 software security market was worth $16.5 billion, up 12% from 2010. Add to that the services portion, which will exceed $39.5 billion this year, reports IDC. The other side of this security equation is the cost of cybercrime and data breaches. Norton puts the cost of cybercrime at $114 billion annually, with an additional $274 billion for time lost.

It gets worse, says the second annual Cost of Cyber Crime Study, an HP-sponsored study just completed by the Ponemon Institute. It found the median annualized cost of cybercrime was $5.9 million per year, an increase of 56% from July 2010. During a four-week period, the organizations surveyed experienced 72 successful attacks per week, an increase of nearly 45% from last year. More than 90% of all cybercrime costs were caused by malicious code, denial of service, stolen devices and Web-based attacks.

Co3 says that, according to Ponemon, since the start of 2010, more than 280 million records with private information have been revealed, and that's just the reported incidents. Once a breach occurs, most organizations manage data loss response and communication through a manual process of discovery, regulatory research, and coordination across multiple internal and external stakeholders--law firms, insurance firms, consultants and accountants--in a process that can take weeks (at least).

In addition to industry regulations such as Payment Card Industry Data Security Standards (PCI DSS), there are the different laws, deadlines and requirements in 46 states, three commonwealths and 14 federal agencies in the United States. Co3's service consists of four elements: event preparedness to audit process effectiveness and to refine controls/data inputs and historical information for reporting and monitoring; data event analysis to define the breach scope and impacted data; liability assessment to estimate immediate risk, incorporating all current applicable regulatory requirements, deadlines and associated penalties; and incident response, a workflow with the ability to create, assign and track all tasks to completion. Customers can try the solution free for 90 days, with initial pricing at $450 per month.

"I think that Co3 is one of an emerging class of software purposely built for privacy professionals and privacy situations," says Gartner's Ian Glazer, research director, identity and privacy. "Their offering doesn't change the competitive landscape so much as to start to define what software packages for privacy look like."

The service has been under development for the last 18 months, with input from a customer panel comprising of two representatives each from a mix of industry verticals, including health care, banking/financial, consumer/retail, education/university and Internet/media. As part of the service, a team tracks all current and proposed regulations, and an international capability will be added by year end. After the first year, customers can choose between Silver ($1,750 per month, up to five incidents) or Gold ($3,500 per month, up to 10 incidents) service packages.

See more on this topic by subscribing to Network Computing Pro Reports Strategy: Stop SQL Injection (subscription required).