The average cost of a serious IT security breach has fallen over the past two years, despite an increase in their frequency and severity, a new report has claimed.
For the first time in seven years the average cost of a breach has decreased, from $7.2m in 2010 to $5.5m last year. Also, the cost per compromised record fell by 10% to $194, the lowest since 2007.
The Ponemon Institute’s research, carried out on behalf of security specialist Symantec, also revealed that negligent employees are still the number one cause of security breaches.
“This is particularly true as the increasing adoption of tablets, smart phones and cloud applications in the workplace means that employees are able to access corporate information anywhere, at any time,” said Francis deSouza, group president, Enterprise Products and Services at Symantec.
“It is essential for companies to put the proper information protection policies and procedures in place to counterbalance these new realities.”
The study noted a decline in business costs such as abnormal customer turnover, brand damage and diminished goodwill as a result of a breach. Lost business costs fell over a third to $3.01m in 2011, from $4.54 million in 2010.
However, the reasoning behind this points to growing user apathy when it comes to breach notifications. “Maybe most of us by now have received one if not more notifications,” said Dr. Larry Ponemon, chairman and founder of research think tank Ponemon Institute.
“Over time, if you don’t become a data breach victim as a result of the event, it begins to lose its impact. These notifications are becoming almost ubiquitous. It’s hard to determine which ones I should care about.”
The study revealed that companies could be aggravating their situation by issuing panicky breach notices to users, where those that took a thorough assessment of the situation before issuing a notice paid less per compromised record.
Similarly, firms who were better prepared to deal with security issues, those employing a chief information security officer (CISO), also showed a decrease in the cost of a serious data breach, up to 35% less than those that didn’t.
Analysing companies from 14 different industries, the study took into account a wide range of costs, including engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. Indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished acquisition rates.
Symantec recommends the following information protection best practices:
- Assess risks by identifying and classifying confidential information
- Educate employees on information protection policies and procedures, then hold them accountable
- Implement an integrated security solution that includes reputation-based security, proactive threat protection, firewall and intrusion prevention in order to keep malware off endpoints
- Deploy data loss prevention technologies which enable policy compliance and enforcement
- Proactively encrypt laptops to minimize consequences of a lost device
- Implement two factor authentication
- Integrate information protection practices into businesses processes
Key findings from the report include:
- Negligent insiders and malicious attacks are the main causes of data breach. Thirty-nine percent of organizations say negligence was the root cause of the data breaches. For the first time, malicious or criminal attacks account for more than a third of the total breaches reported in this study. Since 2007, they also have been the most costly breaches. Accordingly, organizations need to focus on processes, policies and technologies that address threats from the malicious insider or hacker.
- Certain organizational factors reduce the overall cost. If the organization has a CISO with overall responsibility for enterprise data protection the average cost of a data breach can be reduced as much as $80 per compromised record. Outside consultants assisting with the breach response also can save as much as $41 per record. When considering the average number of records lost or stolen, all of these factors can provide significant and positive financial benefits.
- Specific attributes or factors of the data breach also can increase the overall cost. For example, in this year’s study organizations that had their first ever data breach spent on average $37 more per record. Those that responded and notified customers too quickly without a thorough assessment of the data breach also paid an average of $33 more per record. Data breaches caused by third parties or a lost or stolen device increased the cost by $26 and $22, respectively.
- Detection and escalation costs declined but notification costs increased. Detection and escalation costs declined from approximately $460,000 in 2010 to $433,000 in 2011. These costs refer to activities that enable a company to detect the breach and whether it occurred in storage or in motion.
- More customers remain loyal following the data breach. For the first time, fewer customers are abandoning companies that have a data breach. However, certain industries are more susceptible to customer churn, which causes their data breach costs to be higher than the average. Taking steps to keep customers loyal and repair any damage to reputation and brand can help reduce the cost of a data breach.
- The cost of data breach declined. For the first time in seven years, both the organizational cost of data breach and the cost per lost or stolen record have declined. The organizational cost has declined from $7.2 million to $5.5 million and the cost per record has declined from $214 to $194.