Data breaches cost organizations $7.2 million on average in 2010, up seven percent from $6.8 million the previous year, according to the latest Cost of Data Breach study, released Tuesday by Symantec and the Ponemon Institute.
The sixth-annual study, which assessed the costs of activities resulting from the actual data breach experiences of 51 U.S.-based organizations, found that the incidents cost companies an average of $214 per compromised record in 2010, up $10 from the previous year. This is the fifth consecutive year that costs have increased.
The most expensive breach analyzed in the study cost $35.3 million, while the lowest was $780,000. The CEO of one company included in the data set was “extremely overwhelmed” by all of the costs associated with his organization's breach, Larry Ponemon, chairman and founder of the Ponemon Institute, told SCMagazineUS.com on Monday.
“It's not uncommon that people will say, 'That's a pretty expensive proposition and we might be underestimating it,'” Ponemon said.
Business-related costs, such as customer loss and decreases in employee productivity, account for the largest proportion of total breach costs, according to the study. Other expense areas result from detection or discovery of the breach, notification and response activities to help victims.
The study also found that moving too quickly through the breach process may cause inefficiencies that ratchet up costs. Forty-three percent of respondents said they notified victims within one month of discovering the breach. These quick responders paid an average of $268 per lost record, compared to $174 paid by organizations that took longer.
“Organizations that are fast are also less precise when identifying who is at risk,” Ponemon said. “So, there's this over-reporting phenomenon, which can lead to the loss of customers.”
Companies, however, may feel pressure to report the breach and notify victims as quickly as possible due to regulations and laws, according to the study.
Meanwhile, malicious or criminal attacks are increasingly the root cause of breaches, according to the study. In 2010, 31 percent of cases involved criminal attacks, up seven percent from 2009.
Negligence, however, is the most prevalent cause of breaches, accounting for 41 percent of incidents in 2010.
On a positive note, organizations are becoming more vigilant to prevent breaches, the study found. The prevalence of breaches due to system failures, lost or stolen devices, and third-party mistakes all decreased in 2010 compared to the previous year. In addition, more companies placed a CISO in charge of breach response.
To help prevent future data-leakage incidents, nearly two-thirds of respondents said they implemented training and awareness programs. Also, 61 percent of respondents said they expanded their use of encryption after a breach in 2010, up three percent from the previous year. Other popular preventative measures included adding more manual procedures and controls and deploying identity and access management or data leakage prevention solutions.
Brian Tokuyoshi, senior product marketing manager for Symantec, told SCMagazineUS.com on Friday that deploying encryption before a breach could ultimately lead to cost savings. Data breach regulations vary by state, but organizations typically are not required to notify individuals when missing data is encrypted.
“We've seen a lot of encryption projects get taken up after a breach,” he said. “That is usually too late. It's not going to do anything to help data that's already been lost.”
Other best practices for avoiding data breaches include educating employees on information protection policies and procedures and assessing risks by identifying and classifying confidential information, according to the study.