Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:55 AM
Connect Directly

Breach Fatigue? Cost Of A Data Breach Declines For The First Time

New Ponemon study says cost to an organization hit by a breach fell to $5.5 million last year

Call it grizzled experience from multiple breaches, but for the first time in seven years the cost of a data breach has dropped -- and by a whopping 20 percent.

The Ponemon Institute's new "2011 Cost Of Data Breach Study" for the U.S., sponsored by Symantec, found that the cost to an organization hit by a breach was $5.5 million last year, down from $7.2 million in 2010. The cost per breached record also declined last year, from $214 to $194.

"We didn't expect a decrease," says Larry Ponemon, chairman and founder of The Ponemon Institute, which surveyed and interviewed some 49 U.S. organizations that had been hit by breaches. The study excluded massive breach incidents of more than 100,000 compromised records to prevent a skewing of the data.

The drop likely has to do with experience, as organizations do a better job at responding to and defending against breaches, according to the Ponemon report, and thanks to state breach laws.

Another bit of good news: Customers are less likely to jump ship from a business or retailer that gets breached. Customer churn is down by 18 percent for the first time in the study. According to the report, the cost of loss of business dipped from $4.54 million in 2010 to $3.01 million last year, meaning customers were less likely to abandon a business hit by a data breach.

"Lost business is usually the biggest loss -- losing customers, recruiting new ones," and rebuilding reputation, Ponemon says.

But don't expect the cost of breaches to continue to drop, Ponemon says. "My gut tells me this is just a point in time: It's very likely it could go up. It's very likely a major data breach results in harm to a lot of individuals, with identity theft and medical identity theft that might drive up that churn rate," he says.

The report also revealed that certain factors can increase or decrease the cost of a data breach. An organization's first breach costs them an average of $37 more per record, and jumping the gun to notify customers can be costly: Organizations that notified customers too quickly about a breach before properly assessing it on average paid $33 more per record. "Quick response, we found, can actually drive up your costs. It's a balance between thoughtful response and a timely notification," Ponemon says.

Breaches caused by third parties or lost devices are more expensive, too: Add an average of $26 per record to the bill for third-party data breaches, and $22 for a lost laptop or other device.

Having a CISO in charge of data protection can save you money, decreasing the cost per breached record by an average of $80, and bringing in outside consultants to help in the aftermath of a breach can reduce the cost per exposed record by an average of $41 per record.

The type of breach also dictates the cost of the aftermath: A malicious attack, which accounted for 37 percent of the breaches in the study, is the priciest, at $222 per compromised record. User error or negligence was the most common, with 39 percent of the breaches, and costs about $174 per record.

And the bottom line of the study: The cost of detection and escalation dropped 6 percent, to $428,330, on average in 2011 in comparison to $455,304 in 2010. "There are two ways of reading this. One, companies are spending less resources on forensics, but I don't think that's happening here. Or a lot of companies had no clue how to respond when they found a breach before, so IR planning is making investment more efficient," Ponemon says.

Meanwhile, breach notification costs rose by 10 percent to $561,495 last year, versus $511,454 in 2010. "The reason for that, we think, is not that regulations have changed that much, but the view that the regulatory hammer is going to come down on companies who are not careful on managing their data ... notification costs increased because of the way organizations are being the most transparent" about a breach, he says.

The full Ponemon report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/21/2012 | 11:07:22 PM
re: Breach Fatigue? Cost Of A Data Breach Declines For The First Time
"The drop likely has to do with experience, as organizations do a better job at responding to and defending against breaches." -- Good news. I recall a few years ago this survey found the notification process was costing businesses extra money because people were notifying large numbers of people unnecessarily.-
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.