Strong Security Management Helps Control Data Breach Costs: Study
Companies that take a strong security posture, create an effective incident response team and hire a chief information security officer will likely reduce the costs of network breaches by as much as 25 percent, according to a study by the Ponemon Institute that was sponsored by Symantec.
While the average cost of breaches worldwide inched up to $136 per compromised record, compared to $130 per compromised record last year, the cost of a data breach declined in the United States by $6 per record, down to $188, according to Ponemon’s 8th Annual Cost of Data Breach Study. Germany surpassed the United States this year as the country with the highest data breach costs, with companies paying $199 per record compromised.
"The cost of data breaches does vary tremendously by country," Larry Ponemon, chairman at the Ponemon Institute, told eWEEK. "However, the cost in the U.S. seems to be edging downwards."
Negligence and system errors continue to be the major cause of breaches, accounting for nearly two-thirds of data leaks, but malicious attacks are increasingly the reason for compromises. While the cause of data breaches varied by country, malicious attacks caused an average of 37 percent of the breaches studied in 2012, up from 24 percent in 2009, according to the report. Negligence remains a roughly constant threat across all locales.
In addition, malicious attacks are the most expensive to clean up, according to the Ponemon report. In the United States, breaches due to malicious attacks cost $277 per record to clean up, compared to $174 per record for breaches caused by system glitches and $159 per record for those caused by negligence.
Breaches cost more if a third-party error caused the breach or if a lost or stolen device triggered a breach notification. In addition, being too quick to announce a breach can make it more costly, not less, the Ponemon study found.
Yet a few factors also reduced the cost of breaches. A strong security posture cut breach costs by an average of $15, the existence of an incident response plan by $13 and the appointment of a chief information-security officer by $8. While the factors are not necessarily additive, the three measures combined could cut costs by up to 25 percent.
"Companies need to get an incident response process in place, have a security team or executive responsible for security in place, and work with your peers in your line of business," Linda Park, product marketing manager at Symantec, told eWEEK.
Overall average losses due to breaches approximately held steady year-to-year at $3.03 million, although the typical breach cost $5.4 million in the United States and $4.8 million in Germany. The number of customers lost following a breach decreased 13 percent.
The study only considered breaches that involved fewer than 100,000 records and the actual number of records involved in the studied compromises ranged from 2,300 to 99,000 records.