Data breach costs rise as firms brace for next loss

By Robert Westervelt, News Editor 02 Feb 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The costs associated with a data breach are rising, according to a new study that found many firms struggling to lock down information and prevent leakage of sensitive data.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The total average costs associated with data breaches rose slightly since 2007, according to the survey conducted by the Ponemon Institute.

The annual Cost of Data Breach report was funded by encryption vendor PGP Corp. It surveyed 43 firms that experienced a data breach and asked them to give estimates for their expenses. The total average costs of a data breach grew to $202 per record compromised, an increase of 2.3% since 2007 ($197 per record) and 11% compared to 2006 ($182 per record).

Depending on the size of the breach, costs could become astronomically expensive, said Larry Ponemon, founder and chairman of the Ponemon Institute. Some in the privacy community have a view that people over time will become indifferent to a data breach notification. But the Ponemon breach found the costs associated with lost business continues to climb. Lost business now accounts for 69% of data breach costs, up from 65% in 2007.

Data breach costs: 2007 - Data breach costs soar: A Ponemon Institute study indicates the costs associated with data breaches have soared and will continue to skyrocket unless companies do more to prevent them in the first place. 2006 - Survey: Data breach costs surge: A study by the Ponemon Institute finds a 31% increase in the costs associated with a data breach. Data breach study ties fraud losses to Hannaford, TJX breaches: Experts say breach costs are far reaching and could lead banks and merchants to find alternative payment methods. Data loss prevention from the inside out: Corporate information loss can often be credited to a company's internal organization, or lack thereof.

"Our model suggests that people haven't reached the point of indifference yet," Ponemon said. "When people reach that point the cost of churn should decline, but our findings show the costs continue to creep up year by year."

The survey also found many firms having trouble preventing data breaches. Of the firms surveyed, 84% said they experienced more than one breach, though the costs are higher for companies experiencing a breach for the first time. Per victim cost for a first time data breach is $243 versus $192 for experienced companies.

"It's impossible to create an environment where you cannot have a data breach," Ponemon said. "Data breaches will probably continue even for the best of companies, but it's how you detect it, how you respond to it and how you manage the risk that matters most."

Companies are fearful of malicious insiders getting access to sensitive data. The rising tide of layoffs as a result of the poor economy has put a focus on the insider threat. But insider negligence continued to play a major role in causing a data breach. More than 88% of all cases involved incidents of insiders mishandling data. Far fewer breaches were from malicious insiders. The Ponemon study found that the per victim cost for data breaches involving negligence cost $199 per record versus malicious acts costing $225 per record.

Companies are responding to rising tide of insider threats with security training and awareness programs, Ponemon said. Training programs were started by 53% of those companies surveyed. Forty-nine percent of firms said they are also creating additional manual procedures and controls.

Fewer firms are investing in additional technologies. Encryption was the first technology implemented after a breach. Of the technology options, 44% of companies have expanded their use of encryption, the Ponemon survey found.

Technology should be implemented with education and diligence, said Phillip Dunkelberger, president and CEO of encryption vendor PGP Corp. Dunkelberger said all too often businesses get lulled into a false sense of security.

"One of the mistakes people make with encryption is they'll go and encrypt a laptop and forget about thumb drives, email or FTP servers," he said. "People are addressing some issues but not addressing the entire problem."

Some companies turn to the use of third-party services to handle personal information such as payment transactions and customer loyalty programs. But the Ponemon survey found that those services may increase the risk of data leakage and also increase the cost of a breach. Breaches by outsourcers, contractors, consultants and business partners were reported by 44% of respondents, up from 40% in 2007. Third-party vendors often take more time to investigate and conduct forensic analysis. Services sometimes lose information due to poor processes or inadequate data protection technologies, Ponemon said.

"Not all data breaches are the result of high tech glitches or cybercrimes," Ponemon said. "Sometimes they're pretty low tech."

Tags: Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary