Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/20/2012
10:55 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Breach Fatigue? Cost Of A Data Breach Declines For The First Time

New Ponemon study says cost to an organization hit by a breach fell to $5.5 million last year

Call it grizzled experience from multiple breaches, but for the first time in seven years the cost of a data breach has dropped -- and by a whopping 20 percent.

The Ponemon Institute's new "2011 Cost Of Data Breach Study" for the U.S., sponsored by Symantec, found that the cost to an organization hit by a breach was $5.5 million last year, down from $7.2 million in 2010. The cost per breached record also declined last year, from $214 to $194.

"We didn't expect a decrease," says Larry Ponemon, chairman and founder of The Ponemon Institute, which surveyed and interviewed some 49 U.S. organizations that had been hit by breaches. The study excluded massive breach incidents of more than 100,000 compromised records to prevent a skewing of the data.

The drop likely has to do with experience, as organizations do a better job at responding to and defending against breaches, according to the Ponemon report, and thanks to state breach laws.

Another bit of good news: Customers are less likely to jump ship from a business or retailer that gets breached. Customer churn is down by 18 percent for the first time in the study. According to the report, the cost of loss of business dipped from $4.54 million in 2010 to $3.01 million last year, meaning customers were less likely to abandon a business hit by a data breach.

"Lost business is usually the biggest loss -- losing customers, recruiting new ones," and rebuilding reputation, Ponemon says.

But don't expect the cost of breaches to continue to drop, Ponemon says. "My gut tells me this is just a point in time: It's very likely it could go up. It's very likely a major data breach results in harm to a lot of individuals, with identity theft and medical identity theft that might drive up that churn rate," he says.

The report also revealed that certain factors can increase or decrease the cost of a data breach. An organization's first breach costs them an average of $37 more per record, and jumping the gun to notify customers can be costly: Organizations that notified customers too quickly about a breach before properly assessing it on average paid $33 more per record. "Quick response, we found, can actually drive up your costs. It's a balance between thoughtful response and a timely notification," Ponemon says.

Breaches caused by third parties or lost devices are more expensive, too: Add an average of $26 per record to the bill for third-party data breaches, and $22 for a lost laptop or other device.

Having a CISO in charge of data protection can save you money, decreasing the cost per breached record by an average of $80, and bringing in outside consultants to help in the aftermath of a breach can reduce the cost per exposed record by an average of $41 per record.

The type of breach also dictates the cost of the aftermath: A malicious attack, which accounted for 37 percent of the breaches in the study, is the priciest, at $222 per compromised record. User error or negligence was the most common, with 39 percent of the breaches, and costs about $174 per record.

And the bottom line of the study: The cost of detection and escalation dropped 6 percent, to $428,330, on average in 2011 in comparison to $455,304 in 2010. "There are two ways of reading this. One, companies are spending less resources on forensics, but I don't think that's happening here. Or a lot of companies had no clue how to respond when they found a breach before, so IR planning is making investment more efficient," Ponemon says.

Meanwhile, breach notification costs rose by 10 percent to $561,495 last year, versus $511,454 in 2010. "The reason for that, we think, is not that regulations have changed that much, but the view that the regulatory hammer is going to come down on companies who are not careful on managing their data ... notification costs increased because of the way organizations are being the most transparent" about a breach, he says.

The full Ponemon report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
3/21/2012 | 11:07:22 PM
re: Breach Fatigue? Cost Of A Data Breach Declines For The First Time
"The drop likely has to do with experience, as organizations do a better job at responding to and defending against breaches." -- Good news. I recall a few years ago this survey found the notification process was costing businesses extra money because people were notifying large numbers of people unnecessarily.-
Brian Prince, InformationWeek/Dark Reading Comment Moderator
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVE-2020-25830
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
CVE-2020-26159
PUBLISHED: 2020-09-30
In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
CVE-2020-6654
PUBLISHED: 2020-09-30
A DLL Hijacking vulnerability in Eaton's 9000x Programming and Configuration Software v 2.0.38 and prior allows an attacker to execute arbitrary code by replacing the required DLLs with malicious DLLs when the software try to load vci11un6.DLL and cinpl.DLL.