Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Cost Of Data Breaches Increased In 2009, Study Says

Ponemon Institute research says malicious attacks are the most costly breaches

The cost of data breaches continues to rise, and malicious attacks accounted for more of them in 2009 than in previous years, according to a study published today.

In conjunction with study sponsor PGP Corp., Ponemon Institute today released the results of its fifth annual "U.S. Cost of a Data Breach" report. The news isn't good, according to the research firm's founder, Larry Ponemon.

"Each year, I expect the breach cost figures to decrease, but the numbers are still rising," Ponemon says. The 2009 study showed a slight increase in the organizational cost of a data breach -- from $6.65 million to $6.75 million per incident -- and a slight increase in the average cost per compromised record, from $202 to $204.

Legal costs showed the greatest increase in 2009, according to the study. Fees associated with legal handling of breach-related litigation increased by more than 50 percent between 2008 and 2009. "This reflects the increasing chances that a breach will result in litigation, which we've seen in cases like Heartland [Payment Systems]," Ponemon says. Heartland recently agreed to a $60 million settlement related to its 2008 breach, and some of the plaintiffs are now asking for more.

Malicious attacks also showed a sharp rise in the 2009 report, Ponemon observes. In the 2008 report, external attacks accounted for 12 percent of all breaches, but this year that figure is approximately 24 percent. "What this says is that the seriously deranged criminal is a lot smarter than they used to be," Ponemon says. "The attacks are a lot more sophisticated now, and the criminals are working with technologies that are a lot stealthier."

The study is an analysis of the actual data breach experiences of 45 U.S. companies from 15 different industry sectors. It takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after-the-fact response. It also analyzes the economic impact of lost or diminished customer trust and confidence, as measured by customer turnover (churn) rates.

"Loss of business continues to be the greatest cost associated with breaches," Ponemon says. "When customers experience a breach, they may not come back, or they may be expensive to acquire again."

The study also shows that, for the first time, many companies are starting to use enabling prevention and remediation technologies more often and effectively, Ponemon says. Despite this trend, most organizations aim to prevent future breaches through training and awareness programs (67 percent) and additional manual procedures and controls (58 percent).

Some other strategies also saw an increase, such as expanded use of encryption (58 percent), deployment of identity and access management solutions (49 percent), and deployment of data loss prevention solutions (42 percent).

"Over the last three to five years, many companies have been focusing on encryption at the endpoints," noted Tim Matthews, senior product director at PGP, the encryption firm that sponsored the study. "Now, with the increase in breaches occurring through malware, we are seeing companies shift resources to encrypt data inside the data center, rather than just at the endpoints."

The 2009 cost per compromised record of data breaches involving a malicious or criminal act averaged $215 per record -- 40 percent higher than breaches involving a negligent insider ($154) and 30 percent higher than breaches from system glitches ($166), Ponemon says.

The presence of a chief information security officer (CISO) is a benefit to the organization, according to the study. "Companies with a CISO [or equivalent title] who managed data breach incidents experienced an average cost per compromised record of $157, versus $236 -- a whopping 50 percent increase -- for companies without such leadership," the study says.

Interestingly, companies that notified breach victims fastest did not end up saving money. About 36 percent of participating organizations notified victims within one month, but these "quick responders" ended up paying more than their slower peers ($219 versus $196, a 12 percent difference). Moving too quickly through the data breach process -- especially during the detection, escalation, and notification phases -- could cause inefficiencies that raise total costs, Ponemon says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-26
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
PUBLISHED: 2021-01-26
The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in a LIST or NLST command argument within FTP protocol traffic.
PUBLISHED: 2021-01-26
SmartAgent 3.1.0 allows a ViewOnly attacker to create a SuperUser account via the /#/CampaignManager/users URI.
PUBLISHED: 2021-01-26
NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an un...
PUBLISHED: 2021-01-26
NVIDIA Tegra kernel in Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, all L4T versions prior to r32.5, contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to...