A study by the Ponemon Institute found the average cost of data breaches - from detection to notification to lost business - is rising. The No. 1 cost to companies is lost business, which now accounts for 69 percent of total costs.
Data breaches are costly, and they are not getting any cheaper - particularly breaches due to third parties.
But data breach costs don't just come in the form of a line item
expense tied to notification. They also come in the form of lost
business opportunity, which is far and away the most expensive part of
a data breach, according to a new study by the Ponemon Institute.
According to its survey, which was sponsored by PGP, the average cost of a data breach
from detection to notification and response was $202 per record in 2008. That's an increase from $197 per record in 2007.
According to the study, lost business accounted for 69 percent
of data breach costs in 2008, up from 65 percent in 2007 and 54 percent
Ponemon based its findings on the experiences of 43 organizations
that suffered data breaches. Eighty-four percent of those organizations
had experienced a breach in the past.
Like other studies, Ponemon reported that most breaches were not due
to hackers, but negligence of insiders. Breaches by third-party
organizations such as outsourcers, contractors and consultants were
reported by 44 percent of respondents, more than double the percentage
in 2005. Third-party breaches tended to cost $52 more per record,
"My sense is that a lot of customers still have put far more effort
into protection from the external threat than the internal threat,"
said Mark McClain, CEO of identity and access management vendor
SailPoint Technologies. "They have a lot more in place to protect them
against the infamous eastern European hacker than they do the rogue
However, as we saw in the case of the Heartland Payment Systems
breach and numerous incidents before that, cyber-crooks always have
their eyes on corporate data. In the case of Heartland, the company
first received word of suspicious activity involving credit card
transactions it processed from Visa and MasterCard. It then began an
investigation and found hackers had planted malware on their systems.
Once a breach happened, enterprises tended to invest in training and pursue encryption.
"The first thing they seem to do is they implement manual procedures
and training, which makes sense given that so many of these breaches
are caused by a negligent insider," said Larry Ponemon, chairman of the
institute. "But from a technology perspective it appears that the most
frequently used technology after a breach is encryption and a more
holistic and strategic use of encryption seems to be implied by our
Since announcing the breach, officials at Heartland have established
an internal department dedicated exclusively to the development of
end-to-end encryption to protect merchant and consumer data in
Heartland CEO Robert O. Carr said that while the Payment Card
Industry Data Security Standard is effective, the sophistication of
cyber-thieves requires additional steps.
"There is no single silver bullet that will secure payment systems,
and constant vigilance and monitoring of the infrastructure will always
be required," he said in a statement. "Nevertheless, I believe the
development and deployment of end-to-end encryption will provide us the
ability to implement increasing levels of security protection as they
The idea that being PCI compliant may not fully protect customers or
businesses has led to debates about the role of legislation in IT
security. Though he agreed including guidelines about security
technology in regulations is good, there is a danger that laws can fall
too far behind the times, Ponemon warned.
"There is always a lag to regulations," he said. "Today they say you
must do this type of encryption or that type of software protection but
they are not cognizant of all the other big monstrous security threats
and as a result what you implement is probably not state-of-the-art.
You want to have some flexibility to innovate...not have laws that