The organizational cost of a data breach was $5.5 million last year, and malicious attacks are 25 percent more costly than other types, according to the findings of Symantec and the Ponemon Institutes "2011 Cost of Data Breach Study: United States."
The study revealed that negligent insiders are the top cause of data breaches. However, an investment in security can pay large dividends, according to the report: Organizations that employ a chief information security officer (CISO) with enterprisewide responsibility for data protection could reduce the cost of a data breach by 35 percent per compromised record.
Thirty-nine percent of organizations say negligence was the root cause of the data breaches. For the first time, malicious or criminal attacks account for more than a third of the total breaches reported in this study. Since 2007, they also have been the most costly breaches. The report suggested organizations should focus on processes, policies and technologies that address threats from the malicious insider or hacker.
The report concluded that if the organization has a CISO with overall responsibility for enterprise data protection, the average cost of a data breach can be reduced as much as $80 per compromised record. Outside consultants assisting with the breach response also can save as much as $41 per record.
Specific attributes or factors of the data breach also can increase the overall cost, the study found. For example, in this years study, organizations that had their first-ever data breach spent on average $37 more per record. Those that responded and notified customers too quickly without a thorough assessment of the data breach also paid an average of $33 more per record. Data breaches caused by third parties or a lost or stolen device increased the cost by $26 and $22, respectively.
This years report shows that insiders continue to pose a serious threat to the security of their organizations, said Francis deSouza, group president, Enterprise Products and Services, Symantec. This is particularly true as the increasing adoption of tablets, smart phones and cloud applications in the workplace means that employees are able to access corporate information anywhere, at any time. It is essential for companies to put the proper information protection policies and procedures in place to counterbalance these new realities.
For the first time in seven years, both the organizational cost of a data breach and the cost per lost or stolen record have declined. The organizational cost has declined from $7.2 million to $5.5 million, and the cost per record has declined from $214 to $194. Detection and escalation costs declined from approximately $460,000 in 2010 to $433,000 in 2011.
One of the most interesting findings of the 2011 report was the correlation between an organization having a CISO on its executive team and reduced costs of a data breach, said Larry Ponemon, chairman and founder of the Ponemon Institute. As organizations of all sizes battle an uptick in both internal and external threats, it makes sense that having the proper security leadership in place can help address these challenges.