Ponemon Institute's latest report on data breaches shows putting the CISO in charge of the detection and notification process can makes a difference in your bottom line.
When data breaches occur, strong leadership from the chief
information security officer can make a difference in the damage
done to your corporate budget, according to new research from the
In its latest look at data breaches the institute found that in the
five countries studied (U.S., U.K., Australia, France and Germany),
CISO leadership in the aftermath of a breach slashed the cost per
compromised record by an average of 21 percent compared to
companies without such leadership. The benefits were highest for
companies in Germany and the United States, where costs were reduced 45
and 33 percent, respectively. Despite this finding however, only 40
percent of the breaches in the U.S. and 36 percent of
those in Germany were managed by the CISO.
"Centralizing an organization's approach to data management and
protection usually means following a cohesive strategy instead of an ad hoc approach
Dr. Larry Ponemon, chairman of the institute, told eWEEK. "Without a
single point of accountability you may have vastly different approaches
to information security from department to department and no one
looking out for the best interests of the company. A good
CISO/CSO will understand the company's mission and be able to marshal
available resources to make sure everyone in the organization
working toward that mission with full awareness of relevant laws and
regulations, internal policies, and industry best practices."
The study, which was commissioned by PGP, took a look at data breaches experienced by businesses around the globe in 2009. According to their findings
breaches in the U.S. last year cost an average of $6.75 million, or
$204 per compromised customer record. The overall average across the
five countries was $142 per record.
Countries with data breach notification laws naturally had the
highest costs. For example, the U.S. had a cost per record that was
roughly 43 percent higher than the global average. Germany, which
passed data breach legislation in July 2009 had the second highest cost
per record, reaching 25 percent above average.
"By forcing (breaches) into the public view
there's a greater likelihood that companies will act in their best
interest to take steps to avoid a public event," Ponemon said. "That
means investing in preventative measures, for example. You can be
cynical about the reasons, but if a company takes steps to prevent an
embarrassing data breach for the sole purpose of avoiding a damaging
headline, the resulting increase in security should still be seen as a
While the cost of data breaches fluctuates from year to year, one
thing has remained the same - employee negligence is the leading cause
of data breaches. In the U.S., negligence accounted for 40 percent of
the breaches analyzed by the institute. Just under a quarter of the
breaches (24 percent) were caused by malicious or criminal attacks
"This is a frustrating statistic because it seems that addressing
employee negligence would be the easiest, least costly way to make the
most significant gains in data protection," Ponemon said. "Give
yourself more time to check in at the airport; don't leave your PDA in
the taxi; don't plug into an unsecured home network; don't disable your
laptop's encryption... education and awareness can create a more
vigilant, security-conscious culture, yet we see employee negligence
remains atop the charts."
However, breaches due to negligence tended to be less costly than
others, the research found. Malicious attacks did the most damage to
corporate pocketbooks, and cost much more in countries without data
breach notification laws. For example, malicious attacks in France and
Australia cost 121 percent and 61 percent more respectively per
compromised record than average. In the U.S. by contrast, the cost per
record only went up seven percent.
The report recommended businesses take a number of steps to reduce
the likelihood of data breaches or minimize their impact, including:
ensuring portable data-bearing devices are encrypted, vetting and
evaluating the security posture of third-parties they share data with
and drafting communications that clearly define the root causes of a
breach to minimize customer turnover.
"It doesn't matter where they're located, if a company gains a
reputation for being careless with confidential data, the brand will
suffer," said Phillip Dunkelberger, CEO of PGP, in a statement. "Data
is currency, it needs to be protected. Data breach notification
laws mean consumers are informed; more countries around the world are
looking to tighten their data protection legislation as they realize
lost data means an increase in customer turnover."