The costs associated with a data breach are rising, according to a new study that found many firms struggling to lock down information and prevent leakage of sensitive data.
The total average costs associated with data breaches rose slightly since 2007, according to the survey conducted by the Ponemon Institute.
The annual Cost of Data Breach report was funded by encryption vendor PGP Corp. It surveyed 43 firms that experienced a data breach and asked them to give estimates for their expenses. The total average costs of a data breach grew to $202 per record compromised, an increase of 2.3% since 2007 ($197 per record) and 11% compared to 2006 ($182 per record).
Depending on the size of the breach, costs could become astronomically expensive, said Larry Ponemon, founder and chairman of the Ponemon Institute. Some in the privacy community have a view that people over time will become indifferent to a data breach notification. But the Ponemon breach found the costs associated with lost business continues to climb. Lost business now accounts for 69% of data breach costs, up from 65% in 2007.
"Our model suggests that people haven't reached the point of indifference yet," Ponemon said. "When people reach that point the cost of churn should decline, but our findings show the costs continue to creep up year by year."
The survey also found many firms having trouble preventing data breaches. Of the firms surveyed, 84% said they experienced more than one breach, though the costs are higher for companies experiencing a breach for the first time. Per victim cost for a first time data breach is $243 versus $192 for experienced companies.
"It's impossible to create an environment where you cannot have a data breach," Ponemon said. "Data breaches will probably continue even for the best of companies, but it's how you detect it, how you respond to it and how you manage the risk that matters most."
Companies are fearful of malicious insiders getting access to sensitive data. The rising tide of layoffs as a result of the poor economy has put a focus on the insider threat. But insider negligence continued to play a major role in causing a data breach. More than 88% of all cases involved incidents of insiders mishandling data. Far fewer breaches were from malicious insiders. The Ponemon study found that the per victim cost for data breaches involving negligence cost $199 per record versus malicious acts costing $225 per record.
Companies are responding to rising tide of insider threats with security training and awareness programs, Ponemon said. Training programs were started by 53% of those companies surveyed. Forty-nine percent of firms said they are also creating additional manual procedures and controls.
Fewer firms are investing in additional technologies. Encryption was the first technology implemented after a breach. Of the technology options, 44% of companies have expanded their use of encryption, the Ponemon survey found.
Technology should be implemented with education and diligence, said Phillip Dunkelberger, president and CEO of encryption vendor PGP Corp. Dunkelberger said all too often businesses get lulled into a false sense of security.
"One of the mistakes people make with encryption is they'll go and encrypt a laptop and forget about thumb drives, email or FTP servers," he said. "People are addressing some issues but not addressing the entire problem."
Some companies turn to the use of third-party services to handle personal information such as payment transactions and customer loyalty programs. But the Ponemon survey found that those services may increase the risk of data leakage and also increase the cost of a breach. Breaches by outsourcers, contractors, consultants and business partners were reported by 44% of respondents, up from 40% in 2007. Third-party vendors often take more time to investigate and conduct forensic analysis. Services sometimes lose information due to poor processes or inadequate data protection technologies, Ponemon said.
"Not all data breaches are the result of high tech glitches or cybercrimes," Ponemon said. "Sometimes they're pretty low tech."