Attacks/Breaches
3/10/2011
01:25 AM
50%
50%

Cost Of Data Breaches Up Again, Ponemon Study Says

Cost per breached record hits $214; average breach costs $7.2 million

Everything's more expensive these days -- and experiencing a major corporate data breach is no exception.

The Ponemon Institute and Symantec earlier this week released the findings of the "2010 Annual Study: U.S. Cost of a Data Breach," which reveals data breaches grew more costly for the fifth year in a row.

The average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009, according to the researchers.

"Every year I predict that the costs will go down, and every year, I'm wrong," quipped Larry Ponemon, founder of the Ponemon Institute. "We did see some leveling off last year, but the overall costs are still on the rise."

The sixth annual report is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors.

Interestingly, companies that responded quickly to data breaches ended up paying 54 percent more per record than companies that moved more slowly, according to the study. Forty-three percent of companies notified victims within one month of discovering the breach, up seven points from 2009. In 2010, these quick responders had a per-record cost of $268, up 22 percent from 2009; companies that took longer paid $174 per record, down 11 percent.

Malicious or criminal attacks are the most expensive breaches, the study says, and are on the rise. In this year’s study, 31 percent of all cases involved a malicious or criminal act -- up seven points from 2009 --and the cost of these compromises averaged $318 per record, up 43 percent from 2009.

While external breaches are on the increase, negligence remains the most common threat, Ponemon says. The number of breaches caused by negligence edged up one point to 41 percent and averaged $196 per record, up 27 percent from 2009.

Companies are more vigilant about preventing system failures, according to the report. System failure dropped nine points to 27 percent in 2010. "This trend indicates organizations may be more conscientious in ensuring their systems can prevent and mitigate breaches through new security technologies and compliance with security policies and regulations," Ponemon says.

Encryption and other technologies are gaining ground as post-breach remedies, but training and awareness programs remain the most popular, the study says. Sixty-three percent of respondents use training and awareness programs after data breaches, down four points from 2009. Encryption is the second-most implemented preventive measure as a result of a data breach, with 61 percent. Both encryption and data loss prevention (DLP) solutions have increased 17 percent since 2008.

The study takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after-the-fact (ex-post) response. The study also analyzes the economic impact of lost or diminished customer trust and confidence as measured by customer churn or turnover rates.

"Churn is still the highest cost that we see," Ponemon said. "There's an attitude out there that users no longer care about their privacy as much, but our data shows that they really do."

The U.S. Cost of a Data Breach Study was derived from a detailed analysis of 51 data breach cases with a range of nearly 4,200 to 105,000 affected records. The study found there is a positive correlation between the number of records lost and the cost of an incident. Companies analyzed were from 15 different industries.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.