Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:55 AM
Connect Directly

Breach Fatigue? Cost Of A Data Breach Declines For The First Time

New Ponemon study says cost to an organization hit by a breach fell to $5.5 million last year

Call it grizzled experience from multiple breaches, but for the first time in seven years the cost of a data breach has dropped -- and by a whopping 20 percent.

The Ponemon Institute's new "2011 Cost Of Data Breach Study" for the U.S., sponsored by Symantec, found that the cost to an organization hit by a breach was $5.5 million last year, down from $7.2 million in 2010. The cost per breached record also declined last year, from $214 to $194.

"We didn't expect a decrease," says Larry Ponemon, chairman and founder of The Ponemon Institute, which surveyed and interviewed some 49 U.S. organizations that had been hit by breaches. The study excluded massive breach incidents of more than 100,000 compromised records to prevent a skewing of the data.

The drop likely has to do with experience, as organizations do a better job at responding to and defending against breaches, according to the Ponemon report, and thanks to state breach laws.

Another bit of good news: Customers are less likely to jump ship from a business or retailer that gets breached. Customer churn is down by 18 percent for the first time in the study. According to the report, the cost of loss of business dipped from $4.54 million in 2010 to $3.01 million last year, meaning customers were less likely to abandon a business hit by a data breach.

"Lost business is usually the biggest loss -- losing customers, recruiting new ones," and rebuilding reputation, Ponemon says.

But don't expect the cost of breaches to continue to drop, Ponemon says. "My gut tells me this is just a point in time: It's very likely it could go up. It's very likely a major data breach results in harm to a lot of individuals, with identity theft and medical identity theft that might drive up that churn rate," he says.

The report also revealed that certain factors can increase or decrease the cost of a data breach. An organization's first breach costs them an average of $37 more per record, and jumping the gun to notify customers can be costly: Organizations that notified customers too quickly about a breach before properly assessing it on average paid $33 more per record. "Quick response, we found, can actually drive up your costs. It's a balance between thoughtful response and a timely notification," Ponemon says.

Breaches caused by third parties or lost devices are more expensive, too: Add an average of $26 per record to the bill for third-party data breaches, and $22 for a lost laptop or other device.

Having a CISO in charge of data protection can save you money, decreasing the cost per breached record by an average of $80, and bringing in outside consultants to help in the aftermath of a breach can reduce the cost per exposed record by an average of $41 per record.

The type of breach also dictates the cost of the aftermath: A malicious attack, which accounted for 37 percent of the breaches in the study, is the priciest, at $222 per compromised record. User error or negligence was the most common, with 39 percent of the breaches, and costs about $174 per record.

And the bottom line of the study: The cost of detection and escalation dropped 6 percent, to $428,330, on average in 2011 in comparison to $455,304 in 2010. "There are two ways of reading this. One, companies are spending less resources on forensics, but I don't think that's happening here. Or a lot of companies had no clue how to respond when they found a breach before, so IR planning is making investment more efficient," Ponemon says.

Meanwhile, breach notification costs rose by 10 percent to $561,495 last year, versus $511,454 in 2010. "The reason for that, we think, is not that regulations have changed that much, but the view that the regulatory hammer is going to come down on companies who are not careful on managing their data ... notification costs increased because of the way organizations are being the most transparent" about a breach, he says.

The full Ponemon report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/21/2012 | 11:07:22 PM
re: Breach Fatigue? Cost Of A Data Breach Declines For The First Time
"The drop likely has to do with experience, as organizations do a better job at responding to and defending against breaches." -- Good news. I recall a few years ago this survey found the notification process was costing businesses extra money because people were notifying large numbers of people unnecessarily.-
Brian Prince, InformationWeek/Dark Reading Comment Moderator
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
PUBLISHED: 2019-09-15
In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.
PUBLISHED: 2019-09-15
GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php.
PUBLISHED: 2019-09-15
In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categories -> Add New Category -> Name field. NOTE: this may overlap CVE-2017-16636.
PUBLISHED: 2019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.