Attacks/Breaches
3/20/2012
12:55 PM
Connect Directly
RSS
E-Mail
50%
50%

Data Breach Costs Drop

Better response plans, improved investigation experience, and customer fatigue from breach notifications result in lower costs overall.

Securing The Super Bowls Of Sports
Securing The Super Bowls Of Sports
(click image for larger view and for slideshow)
The business cost of individual data breaches is decreasing. Notably, the average cost of a breach declined by 24%, from $7.2 million in 2010 to $5.5 million in 2011.

That finding comes from the seventh annual U.S. Cost of a Data Breach report from Ponemon Institute and Symantec Research. The study examined the 2011 data breach experiences of 49 U.S.-based organizations and interviewed a total of 400 people with direct knowledge of the IT, information security, and data breach cleanup efforts at those organizations.

It's the first time that researchers have ever seen data breach costs decline. What's behind the shift? According to the Ponemon report, researchers saw a 10% decrease in the per capita cost of breaches, which includes the cost of investigating breaches. They also saw the average size of data breaches decrease by 16% and "abnormal churn"-- customers who defect over data breaches--decrease by 18%.

"We find that companies who are not able to manage your data are viewed as less trustworthy," said Larry Ponemon, chairman and founder of the Ponemon Institute, in an interview. That's especially true for heavily regulated organizations, including financial services and healthcare organizations, which customers tend to hold to a higher standard. As a result, those industries have higher breach costs than normal since replacing lost customers is expensive.

[ From Sony to Nasdaq, read about some of the most significant corporate data breaches in 2011. See 6 Worst Data Breaches Of 2011. ]

But in an era in which the number of breaches--and often their severity--seems to be increasing, the overall decrease in customer churn resulting from breaches suggests that the average consumer may be facing data breach notification burnout. "Maybe people are numb to data breaches," said Ponemon. "There are still many people who care deeply about it, but maybe there are more people worried about the economy, their job security, or the state of gas prices."

The study also found that the number of data breaches that were caused by malicious attacks increased from 31% in 2010 to 37% in 2011. The leading cause (in 50% of cases) was malware, followed by malicious insiders (33%), device theft (28%), SQL injection (28%), and phishing attacks (22%). Interestingly, 17% of all data breaches also involved social engineering attacks. "We think about the evil hacker, which is pretty serious stuff, but in our study, we find that it's really the malicious insider--someone who's nefarious or angry at the organization--that presents the real danger to the company," said Ponemon.

Beyond malicious attacks, meanwhile, 39% of data breaches in 2011 were caused by negligent insiders, and 24% by system glitches.

Another factor behind the decreased cost of data breaches is that businesses' detection costs decreased by 6% from 2010, to an average of $428,330 per incident in 2011. "We think that companies are more efficient in investigating the data breach and organizing themselves around their incident response plan," said Ponemon. In the same time period, however, notification costs did increase by 10%, to $561,495 per incident, which he ascribed to businesses wanting to ensure that they remained compliant with states' more stringent notification rules.

The report found that there are a number of ways that organizations can better control their data breach costs. Notably, companies that have a CISO who is responsible for data protection and outside consultants to assist with the response saw reduced costs, in large part because these companies had the right policies and procedures in place, including a data breach response plan. "It helps the organization manage their team and not do extraneous things, like having two or three different parts of the organization hiring different forensic teams to conduct the investigation," said Ponemon.

But breach costs went up when the data was exposed by a third party or a lost or stolen device. This increase is due to the difficulty of conducting a forensic examination, especially for businesses that failed to keep up-to-date backups.

Another cost hit came from organizations that responded rapidly to breaches and quickly notified affected customers. "A lot of companies, believe it or not, over-report their data breach because they just want to get rid of it," said Ponemon. But in numerous cases, he said, businesses ended up over-reporting the scope of their breach--sometimes by a factor of five or 10. The lesson: sometimes it's prudent to let breach investigators finish their job before alerting customers.

The biggest threat to your company's most sensitive data may be the employee who has legitimate access to corporate databases but less-than-legitimate intentions. Follow our advice in our Defend Data From Malicious Insiders report to mitigate the risk. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
3/20/2012 | 11:26:17 PM
re: Data Breach Costs Drop
I think there's a very important point here about how people have become so numb to these data breaches in that they don't migrate to a competitor.

Let's consider this for a moment - your bank or health insurance provider has a breach and your data is compromised. What do you do? Stay with the same provider or move to a competitor. Now, let's examine what kind of impact that moving to another provider would have on a person's life - changing banks, especially if you are using Direct Deposit or automatic bill payment, is not the easiest thing in the world to do and can very often end up costing you money in the process, then you have to worry about using different ATMs, etc.

What about changing health insurance providers? There are only so many options that the average worker has these days and switching from one network to another can be a major challenge - making sure that your current medical service providers, pharmacies, etc. are on your new plan or making changes, etc. can get overwhelming.

Then when you factor in the idea that if Company A can get hacked and suffer a data breach, what's to say that Company B won't as well? Then you've just suffered through all of that aggrevation for naught.

And finally, once your private information is "publicly available", can you ever remediate things to make that private again? Sure, it's possible, but not without a LOT of aggrevation.

Add it all up, and the average family is more worried about keeping a roof over their heads, gas in the car and food on the table.

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3541
Published: 2014-07-29
The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.

CVE-2014-3542
Published: 2014-07-29
mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) is...

CVE-2014-3543
Published: 2014-07-29
mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity referenc...

CVE-2014-3544
Published: 2014-07-29
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field.

CVE-2014-3545
Published: 2014-07-29
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz.

Best of the Web
Dark Reading Radio