Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Cost Of Data Breaches Increased In 2009, Study Says

Ponemon Institute research says malicious attacks are the most costly breaches

The cost of data breaches continues to rise, and malicious attacks accounted for more of them in 2009 than in previous years, according to a study published today.

In conjunction with study sponsor PGP Corp., Ponemon Institute today released the results of its fifth annual "U.S. Cost of a Data Breach" report. The news isn't good, according to the research firm's founder, Larry Ponemon.

"Each year, I expect the breach cost figures to decrease, but the numbers are still rising," Ponemon says. The 2009 study showed a slight increase in the organizational cost of a data breach -- from $6.65 million to $6.75 million per incident -- and a slight increase in the average cost per compromised record, from $202 to $204.

Legal costs showed the greatest increase in 2009, according to the study. Fees associated with legal handling of breach-related litigation increased by more than 50 percent between 2008 and 2009. "This reflects the increasing chances that a breach will result in litigation, which we've seen in cases like Heartland [Payment Systems]," Ponemon says. Heartland recently agreed to a $60 million settlement related to its 2008 breach, and some of the plaintiffs are now asking for more.

Malicious attacks also showed a sharp rise in the 2009 report, Ponemon observes. In the 2008 report, external attacks accounted for 12 percent of all breaches, but this year that figure is approximately 24 percent. "What this says is that the seriously deranged criminal is a lot smarter than they used to be," Ponemon says. "The attacks are a lot more sophisticated now, and the criminals are working with technologies that are a lot stealthier."

The study is an analysis of the actual data breach experiences of 45 U.S. companies from 15 different industry sectors. It takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after-the-fact response. It also analyzes the economic impact of lost or diminished customer trust and confidence, as measured by customer turnover (churn) rates.

"Loss of business continues to be the greatest cost associated with breaches," Ponemon says. "When customers experience a breach, they may not come back, or they may be expensive to acquire again."

The study also shows that, for the first time, many companies are starting to use enabling prevention and remediation technologies more often and effectively, Ponemon says. Despite this trend, most organizations aim to prevent future breaches through training and awareness programs (67 percent) and additional manual procedures and controls (58 percent).

Some other strategies also saw an increase, such as expanded use of encryption (58 percent), deployment of identity and access management solutions (49 percent), and deployment of data loss prevention solutions (42 percent).

"Over the last three to five years, many companies have been focusing on encryption at the endpoints," noted Tim Matthews, senior product director at PGP, the encryption firm that sponsored the study. "Now, with the increase in breaches occurring through malware, we are seeing companies shift resources to encrypt data inside the data center, rather than just at the endpoints."

The 2009 cost per compromised record of data breaches involving a malicious or criminal act averaged $215 per record -- 40 percent higher than breaches involving a negligent insider ($154) and 30 percent higher than breaches from system glitches ($166), Ponemon says.

The presence of a chief information security officer (CISO) is a benefit to the organization, according to the study. "Companies with a CISO [or equivalent title] who managed data breach incidents experienced an average cost per compromised record of $157, versus $236 -- a whopping 50 percent increase -- for companies without such leadership," the study says.

Interestingly, companies that notified breach victims fastest did not end up saving money. About 36 percent of participating organizations notified victims within one month, but these "quick responders" ended up paying more than their slower peers ($219 versus $196, a 12 percent difference). Moving too quickly through the data breach process -- especially during the detection, escalation, and notification phases -- could cause inefficiencies that raise total costs, Ponemon says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26250
PUBLISHED: 2020-12-01
OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authenticator.allowed_users` with a warning, is instead ignored by ...
CVE-2020-28576
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version and build information.
CVE-2020-28577
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal server hostname and db names.
CVE-2020-28582
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal number of managed agents.
CVE-2020-28583
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version, build and patch information.