The costs associated with a data breach have declined for the first time in seven years and could be the result of better planning and strong security leadership, according to the annual 2011 Ponemon Cost of Data Breach Report (.pdf).
Being systematic and surgical about identifying who is at risk can reduce costs.
Larry Ponemon, founder and chairman, Ponemon Institute LLC
The organizational cost of data breach and the cost per lost or stolen record have declined. The organizational cost dipped from $7.2 million in 2010 to $5.5 million in 2011, according to the report. Meanwhile the cost per stolen record – data that identifies an individual whose information has been compromised in a data breach – declined from $214 per record in 2010 to $194 per record. The study excluded breaches of more than 100,000 records to avoid skewed results.
The report, commissioned this year by Symantec, analyzed the data breach costs at 49 U.S.-based organizations and found fewer customers frustrated and fleeing organizations that lost their personal information. Less customer churn, down by about 18%, may be an indication that “people are numb to the whole thing,” said Larry Ponemon, founder and chairman of the Ponemon Institute LLC.
“Maybe some people believe they are powerless so they worry about other things,” Ponemon said.
Ponemon cost of data breach report
Organizations that rush to notify victims end up paying more in costs, according to the report.
Security expert outlines high-level steps organizations should take to build a data breach response plan. Follow these 10 steps to substantially reduce the amount of organizational chaos and the valuable time wasted in dealing with the confusion.
The Ponemon analysis looked at direct and indirect expenses associated with a breach. It took into account the engagement of forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. It also looked at indirect costs associated with IT response and communication.
Organizations that properly execute a formal incident response plan and have a person in a leadership position or a CISO to head response and also drive security into the culture of the organization appear to limit the negative effects of a breach, Ponemon said. Organizations with CISOs can reduce costs by as much as 35% per compromised record, the report found. Engaging an external consultant to help handle the breach also reduced costs.
“It’s all about the governance of the organization and how it addresses data protection and privacy issues,” Ponemon said. “Organization’s should probably have one security leader; we know that companies that have CISOs are different culturally than companies that don’t.”
The results also found that organizations need to take a thorough assessment before initiating data breach notification. Organizations that respond too quickly typically notify too many people that they could be potential victims, increasing the cost spent per record. Forty-one percent notified victims within 30 days or less, after thoroughly investigating the incident, Ponemon said. “A rapid response results in incurring more costs,” he said. “Being systematic and surgical about identifying who is at risk can reduce costs.”
Security technology may also be a factor in the decline in data breach cost, noted Ponemon. Data loss prevention technology, which can identify sensitive data and then monitor for leaks can reduce the scope of a breach, Ponemon said. In addition, organizations appear to be deploying stronger authentication, two-factor authentication, encryption and tokenization around credit card data and personally identifiable information (PII), he said.
Employee negligence was the root cause of the data breaches studied by Ponemon. Thirty-nine percent of organizations had a data breach as a result of a lost or stolen mobile device, which included laptops, smartphones, tablets and UBS drives that contained confidential and sensitive information. Only 18 organizations, or 37%, indicated the breach was at the hands of a malicious insider or hacker.
Ponemon said the most costly breaches typically involve malicious acts against the
company rather than negligence or system glitches.
Among the reports other findings, 41% of organizations had a data breach caused by a third party, indicating that some companies have little knowledge of their partner’s security processes, Ponemon said.
Of the 18 organizations that indicated that their breach was the result of a malicious insider or hacker, malware was used in at least half of the breaches. Thirty-three percent experienced criminal insiders such as rogue employees or contractors. Ponemon noted that organizations are deploying better technologies to detect anomalies, identify attacks and block them or mitigate an infection before it becomes a serious problem.
“We think that the frequency of malicious attacks is increasing and companies are getting better at detecting those attacks,” Ponemon said. “They’re also getting smarter in their ability to identify the root cause.”