Specific attributes or factors of the data breach also can increase the overall cost, the study found.
The organizational cost of a
data breach was $5.5 million last year, and malicious attacks are 25 percent
more costly than other types, according to the findings of Symantec and the
Ponemon Institutes "2011 Cost of Data Breach Study: United States."
The study revealed that negligent
insiders are the top cause of data breaches. However, an investment in security
can pay large dividends, according to the report: Organizations that employ a
chief information security officer (CISO) with enterprisewide responsibility
for data protection could reduce the cost of a data breach by 35 percent per
Thirty-nine percent of
organizations say negligence was the root cause of the data breaches. For the
first time, malicious or criminal attacks account for more than a third of the
total breaches reported in this study. Since 2007, they also have been the most
costly breaches. The report suggested organizations should focus on processes,
policies and technologies that address threats from the malicious insider or
The report concluded that if
the organization has a CISO with overall responsibility for enterprise data
protection, the average cost of a data breach can be reduced as much as $80 per
compromised record. Outside consultants assisting with the breach response also
can save as much as $41 per record.
Specific attributes or
factors of the data breach also can increase the overall cost, the study found.
For example, in this years study, organizations that had their first-ever data
breach spent on average $37 more per record. Those that responded and notified
customers too quickly without a thorough assessment of the data breach also
paid an average of $33 more per record. Data breaches caused by third parties
or a lost or stolen device increased the cost by $26 and $22, respectively.
This years report shows
that insiders continue to pose a serious threat to the security of their
organizations, said Francis deSouza, group president, Enterprise Products and
Services, Symantec. This is particularly true as the increasing adoption of
tablets, smart phones and cloud applications in the workplace means that
employees are able to access corporate information anywhere, at any time. It is
essential for companies to put the proper information protection policies and
procedures in place to counterbalance these new realities.
For the first time in seven
years, both the organizational cost of a data breach and the cost per lost or
stolen record have declined. The organizational cost has declined from $7.2
million to $5.5 million, and the cost per record has declined from $214 to
$194. Detection and escalation costs declined from approximately $460,000 in
2010 to $433,000 in 2011.
One of the most interesting
findings of the 2011 report was the correlation between an organization having
a CISO on its executive team and reduced costs of a data breach, said Larry
Ponemon, chairman and founder of the Ponemon Institute. As organizations of
all sizes battle an uptick in both internal and external threats, it makes
sense that having the proper security leadership in place can help address