At more than $7 million, data breaches are costly for organizations, and there are no signs of the costs coming down anytime soon, according to a research study.
The average cost of a data breach for an organization went
up for the fifth year in a row, to $7.2 million, Ponemon Institute found in its
sixth annual data breach report.
Total cost is not the only thing that went up, as the
average cost per compromised record increased to $214, according to the 2010 data breach report
released by Symantec
and Ponemon Institute on March 8. The cost per compromised record was $204 and
total organization cost per breach was $6.8 million in 2009. Total breach costs
have gone up every year since 2006, and the Ponemon Institute did not expect
the trend to dip downwards anytime soon, according to the report.
"We continue to see an increase in the costs to businesses
suffering a data breach," said Larry Ponemon, chairman and founder of the Ponemon Institute.
Ponemon Institute considers a number of factors when
calculating costs, such as the process in which a data breach is detected and
investigated, how the victims are notified and the cost of deploying new
remedies to resolve the issue. There are also other associated costs, such as
setting up a call center to enable victims to get more information, paying for
credit protection services, lost sales and productivity because customers no
longer trust the organization to keep data safe, Josh Shaul, CTO of Application
Security, told eWEEK.
There can be additional costs if regulators crack down
with harsher penalties, such as the recent fines on health care organizations
for violating HIPAA
, he said.
For the second year in a row, data breach costs went up
because organizations responded rapidly to these incidents, the institute
found. Fast-acting organizations wound up spending 54 percent more per record
than companies that moved more slowly, the survey found.
About 43 percent of companies notified victims within one month
of discovering the breach and faced an average per-record cost of $268, the
survey found. More companies, or 7 percent, responded faster in 2010 than 2009,
but their costs went up 22 percent. Companies that took longer to notify users
paid a mere $174 per record.
Most regulations require organizations to notify affected
customers within 60 to 120 days after discovering the breach.
While the total cost of a
can vary by the organization's size, industry, location and
existing security practices, the Ponemon Institute found there was a positive
correlation between the number of records lost and the cost of the incident.
Malicious attacks, regardless of whether they originated
internally or externally, were the most expensive and appear to be increasing
in frequency, the report found. Nearly one-third, of 31 percent, of all cases
involved a malicious or criminal act, up 7 percent from 2009. A malicious
attack was likely to cost companies $318 per compromised record, up 43 percent
Despite the rise of malicious attacks, the most common
threat still comes from negligent employees. The number of breaches caused by
negligence, such as not securing data properly
, increased slightly to 41
percent, and averaged $196 per record, the survey said.
"Securing information continues to challenge organizations
at all levels, but the vast majority of these breaches are preventable," said
Francis deSouza, senior vice president of Symantec's enterprise security group.
Organizations must create a "culture of security" that includes training, data
security policy and technology, he said.
After a data breach, organizations continue to rely
primarily on training and awareness programs to emphasize information security.
While 63 percent of the respondents mentioned training, implementing encyption
mechanisms was the second most popular data-breach remedy, at 61 percent, the
report found. Both encryption and data loss prevention implementations have
increased 17 percent since 2008.
Encrypting data minimizes the impact of lost or stolen data
because thieves or unauthorized users can't easily get access to the sensitive
information. Symantec also recommended organizations integrate information
protection practices into business processes so that security is not an
The 2010 Annual Study: U.S. Cost of a Data Breach is based
on actual data breach experiences in 2010 of 51 companies from 15 different
industry sectors including finance, health care, technology and transportation.
The data breach cases ranged from 4,200 to 105,000 compromised records.