Examining breach experiences from 277 organizations in nine countries, the study found that the average global cost of data breaches reached $136 per compromised record, while in the U.S. the cost was $188 per compromised record.
"It's still not chump change, but it definitely seems to be trending down in the U.S. with two years of downward movement," says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. The downward pressure could likely be attributable to more mature breach prevention and response practices. According to the study, the factors most likely to push breach costs down were instituting incident response plans, establishing a strong security posture, and appointing a CISO. Meanwhile, factors most likely to raise costs included third-party error, rushed breach notification, and lost or stolen devices.
Delving into the root causes of breaches studied in this report, Ponemon found that 64 percent of breaches were caused by negligence or system failures, while approximately 37 percent were the result of malicious insiders or criminal hackers. Ponemon notes that this should be a wake-up call to the industry.
[Is malware getting around BIOS security measures? See BIOS Bummer: New Malware Can Bypass BIOS Security.]
"Everyone wants to hear about cyberattacks, and everyone wants to hear about cyberattacks and exfiltration of data by the Chinese or the proverbial bad guy, and those things are happening," he says, "but in our data, since the beginning of time the majority of cases are involving people problems or system failures. Both are the result of negligence in a way."
At the same time, though, malicious insider or criminal attacks cost $157 per breached record, far above the $122 per record for breaches caused by system glitches and $117 for those caused by human error. According to Ponemon and Symantec, they believe that study results generally point to a greater need to address both malicious and negligent insider threats within the enterprise.
"Our conversations with customers and our research does point to the insider threat continuing to be the bigger cause behind data loss and data breach events," says Linda Park, product marketing manager for Symantec. "While there is an uptick in the malicious attacks, companies really are still focused on insider threats overall and making sure that employees are trained, aware, and that they have the right enforcement in place to make sure people are doing the right things."
The analysis seems to contradict figures analyzed put together earlier in the year in the Verizon Data Breach Investigation Report (DBIR), which showed insider threats made up a small percent of the incidents they responded to. According to Ponemon, the mismatch in conclusions could potentially be attributed to a number of factors, including different reporting standards and a focus on number of incidents rather than cost of breaches.
"They were referring to malicious insiders, not just negligent or incompetent people, and sometimes there's a fine line between something you call malicious versus nonmalicious," Ponemon says. "This is a little conjecture, but it seems like sometimes companies are more likely to label something malicious as nonmalicious because they really don't believe that to be true, and they chalk that up to making a mistake. So I think a lot of the insider cases are not disclosed properly."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.