In a very interesting study by The Ponemon Institute, the costs of data breaches were analyzed. This is the 5th annual study done by the Institute. The study showed that companies are spending more money to remediate data breaches. The average cost per compromised record per breach rose from $202 to $204. The big driver of the cost of a data breach is the lost of customers, customers that switch to another company due to the data breach. To put that in perspective, if you have a data breach that affects 1,000 patients (records) you are looking at around $204,000 in breach related costs on average. That is a staggering number!
In addition, breaches from malicious attacks rose to 24% of all attacks. They also reported for the first time that data-stealing malware caused breaches. The report that malware is stealing data is very troubling. This means that some of the spyware and viruses that companies have to deal with are no longer just annoying and disruptive, they are serious issues that may involve stealing of data and potential data breaches.
Another eye opening statistic from the report shows the 36% of all data breaches were due to a lost or stolen laptop or mobile device. And the cost of a data breach due to a mobile device is more expensive than all other data breaches. If this isn’t reason to ensure that your laptops are encrypted I don’t know of a better one.
Here are some highlights of the study:
U.S. organizations continue to experience an increased cost of data breaches, which includes activities intended to prevent a loss of customer or consumer trust. This rise in expense occurs despite a decline in major media or press coverage of this topic. Overall cost is not declining despite the perception that data breaches are becoming a more mundane issue. This viewpoint may be tied to stabilizing costs of detection, escalation and notification as well as our first-ever observation of a decrease in lost business. The average organizational cost of a data breach increased nearly 2 percent, from to $6.65 million in our 2008 study to $6.75 million in 2009. The average cost per compromised record per breach rose only $2, from $202 to $204. The most expensive data breach event included in this year’s study cost one organization nearly $31 million to resolve.
Data breaches from malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than those caused by human negligence or IT system glitches. The incidence of malicious attacks rose from 12 percent to 24 percent. In addition, the 2009 cost per compromised record of data breaches involving a malicious or criminal act averaged $215, 40 percent higher than breaches involving a negligent insider ($154) and 30 percent higher than breaches from system glitches ($166). For the first time companies participating in the study reported that data-stealing malware caused their breaches. These findings suggest that organizations must start protecting themselves more proactively from increasingly aggressive malicious outsiders.
Data breach continues to be a very costly event for organizations. The average organizational cost of a data breach increased from to $6.65 million in our 2008 study to $6.75 million in 2009. The most expensive data breach event included in this year’s study cost a company nearly $31 million to resolve. The least expensive total cost of data breach for a company included in our study was $750,000. The magnitude of the breach event ranged from approximately 5,000 to approximately 101,000 lost or stolen records. As in prior years, data breach cost appears to be linearly related to the size or magnitude of the breach event.
Abnormal churn or turnover of customers resulting directly from the data breach incident appears to the main driver for data breach cost. In this year’s study, average abnormal churn rates across all 45 incidents is slightly higher than last year (from 3.6 percent in 2008 to 3.7 percent in 2009), which was measured by the loss of customers who were directly affected by the data breach event (i.e., typically those receiving notification). The industries with the highest churn rate are pharmaceuticals, communications and healthcare (all at 6 percent), followed by financial services and services (both at 5 percent). The industries with the lowest abnormal churn rates are manufacturing, energy and media (all at or below 1 percent), followed by technology and retail (both at 2 percent).
Thirty-six percent of all cases in this year’s study involved lost or stolen laptop computers or other mobile data-bearing devices. Data breaches concerning lost, missing or stolen laptop computers are more expensive than other incidents. Specifically, in this year’s study the per victim cost for a data breach involving a lost or stolen laptop was $225.
Here are some of the preventative solutions that the report lists:
Preventive Solutions
Especially given the rise in data-stealing malicious attacks, organizations should strongly consider a holistic approach to protecting data wherever it is – at rest, in motion and in use. While manual and policy approaches may come first to mind for many companies, those approaches by themselves are not as effective as a multi-pronged approach that includes automated IT security solutions. Many kinds of automated, cost-effective enterprise data protection solutions are now available to secure data both within an organization and among business partners. Some of the most popular and effective of these technologiescurrently available include:
- Encryption (including whole disk encryption and for mobile devices/smartphones)
- Data loss prevention (DLP) solutions
- Identity and access management solutions
- Endpoint security solutions and other anti-malware tools
Companies should also look for centralized management of IT security solutions so they can automatically enforce IT security best practices throughout their organizations. Such capability also enables enterprises to align information protection with corporate security policies and regulatory or business-partner mandates.
Related posts:
