Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:55 AM
Connect Directly

Breach Fatigue? Cost Of A Data Breach Declines For The First Time

New Ponemon study says cost to an organization hit by a breach fell to $5.5 million last year

Call it grizzled experience from multiple breaches, but for the first time in seven years the cost of a data breach has dropped -- and by a whopping 20 percent.

The Ponemon Institute's new "2011 Cost Of Data Breach Study" for the U.S., sponsored by Symantec, found that the cost to an organization hit by a breach was $5.5 million last year, down from $7.2 million in 2010. The cost per breached record also declined last year, from $214 to $194.

"We didn't expect a decrease," says Larry Ponemon, chairman and founder of The Ponemon Institute, which surveyed and interviewed some 49 U.S. organizations that had been hit by breaches. The study excluded massive breach incidents of more than 100,000 compromised records to prevent a skewing of the data.

The drop likely has to do with experience, as organizations do a better job at responding to and defending against breaches, according to the Ponemon report, and thanks to state breach laws.

Another bit of good news: Customers are less likely to jump ship from a business or retailer that gets breached. Customer churn is down by 18 percent for the first time in the study. According to the report, the cost of loss of business dipped from $4.54 million in 2010 to $3.01 million last year, meaning customers were less likely to abandon a business hit by a data breach.

"Lost business is usually the biggest loss -- losing customers, recruiting new ones," and rebuilding reputation, Ponemon says.

But don't expect the cost of breaches to continue to drop, Ponemon says. "My gut tells me this is just a point in time: It's very likely it could go up. It's very likely a major data breach results in harm to a lot of individuals, with identity theft and medical identity theft that might drive up that churn rate," he says.

The report also revealed that certain factors can increase or decrease the cost of a data breach. An organization's first breach costs them an average of $37 more per record, and jumping the gun to notify customers can be costly: Organizations that notified customers too quickly about a breach before properly assessing it on average paid $33 more per record. "Quick response, we found, can actually drive up your costs. It's a balance between thoughtful response and a timely notification," Ponemon says.

Breaches caused by third parties or lost devices are more expensive, too: Add an average of $26 per record to the bill for third-party data breaches, and $22 for a lost laptop or other device.

Having a CISO in charge of data protection can save you money, decreasing the cost per breached record by an average of $80, and bringing in outside consultants to help in the aftermath of a breach can reduce the cost per exposed record by an average of $41 per record.

The type of breach also dictates the cost of the aftermath: A malicious attack, which accounted for 37 percent of the breaches in the study, is the priciest, at $222 per compromised record. User error or negligence was the most common, with 39 percent of the breaches, and costs about $174 per record.

And the bottom line of the study: The cost of detection and escalation dropped 6 percent, to $428,330, on average in 2011 in comparison to $455,304 in 2010. "There are two ways of reading this. One, companies are spending less resources on forensics, but I don't think that's happening here. Or a lot of companies had no clue how to respond when they found a breach before, so IR planning is making investment more efficient," Ponemon says.

Meanwhile, breach notification costs rose by 10 percent to $561,495 last year, versus $511,454 in 2010. "The reason for that, we think, is not that regulations have changed that much, but the view that the regulatory hammer is going to come down on companies who are not careful on managing their data ... notification costs increased because of the way organizations are being the most transparent" about a breach, he says.

The full Ponemon report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/21/2012 | 11:07:22 PM
re: Breach Fatigue? Cost Of A Data Breach Declines For The First Time
"The drop likely has to do with experience, as organizations do a better job at responding to and defending against breaches." -- Good news. I recall a few years ago this survey found the notification process was costing businesses extra money because people were notifying large numbers of people unnecessarily.-
Brian Prince, InformationWeek/Dark Reading Comment Moderator
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.