Attacks/Breaches
3/10/2011
01:25 AM
Connect Directly
RSS
E-Mail
50%
50%

Cost Of Data Breaches Up Again, Ponemon Study Says

Cost per breached record hits $214; average breach costs $7.2 million

Everything's more expensive these days -- and experiencing a major corporate data breach is no exception.

The Ponemon Institute and Symantec earlier this week released the findings of the "2010 Annual Study: U.S. Cost of a Data Breach," which reveals data breaches grew more costly for the fifth year in a row.

The average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009, according to the researchers.

"Every year I predict that the costs will go down, and every year, I'm wrong," quipped Larry Ponemon, founder of the Ponemon Institute. "We did see some leveling off last year, but the overall costs are still on the rise."

The sixth annual report is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors.

Interestingly, companies that responded quickly to data breaches ended up paying 54 percent more per record than companies that moved more slowly, according to the study. Forty-three percent of companies notified victims within one month of discovering the breach, up seven points from 2009. In 2010, these quick responders had a per-record cost of $268, up 22 percent from 2009; companies that took longer paid $174 per record, down 11 percent.

Malicious or criminal attacks are the most expensive breaches, the study says, and are on the rise. In this year’s study, 31 percent of all cases involved a malicious or criminal act -- up seven points from 2009 --and the cost of these compromises averaged $318 per record, up 43 percent from 2009.

While external breaches are on the increase, negligence remains the most common threat, Ponemon says. The number of breaches caused by negligence edged up one point to 41 percent and averaged $196 per record, up 27 percent from 2009.

Companies are more vigilant about preventing system failures, according to the report. System failure dropped nine points to 27 percent in 2010. "This trend indicates organizations may be more conscientious in ensuring their systems can prevent and mitigate breaches through new security technologies and compliance with security policies and regulations," Ponemon says.

Encryption and other technologies are gaining ground as post-breach remedies, but training and awareness programs remain the most popular, the study says. Sixty-three percent of respondents use training and awareness programs after data breaches, down four points from 2009. Encryption is the second-most implemented preventive measure as a result of a data breach, with 61 percent. Both encryption and data loss prevention (DLP) solutions have increased 17 percent since 2008.

The study takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after-the-fact (ex-post) response. The study also analyzes the economic impact of lost or diminished customer trust and confidence as measured by customer churn or turnover rates.

"Churn is still the highest cost that we see," Ponemon said. "There's an attitude out there that users no longer care about their privacy as much, but our data shows that they really do."

The U.S. Cost of a Data Breach Study was derived from a detailed analysis of 51 data breach cases with a range of nearly 4,200 to 105,000 affected records. The study found there is a positive correlation between the number of records lost and the cost of an incident. Companies analyzed were from 15 different industries.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.