Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:26 PM
Connect Directly

Negligence, Glitches Push Up Cost Of Breaches Worldwide

But U.S. breach costs on downward trajectory, reports eighth annual Ponemon study

The costs of data breaches inched up globally, but in the U.S. companies have managed to continue bringing breach costs down, according to the eighth annual Cost of Data Breach Study out this week. Conducted by Ponemon Institute on behalf of Symantec, the study found that mistakes and human errors accounted for the bulk of all breaches studied, but malicious or criminal attacks costs businesses more when they are at the root of breaches.

Examining breach experiences from 277 organizations in nine countries, the study found that the average global cost of data breaches reached $136 per compromised record, while in the U.S. the cost was $188 per compromised record.

"It's still not chump change, but it definitely seems to be trending down in the U.S. with two years of downward movement," says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. The downward pressure could likely be attributable to more mature breach prevention and response practices. According to the study, the factors most likely to push breach costs down were instituting incident response plans, establishing a strong security posture, and appointing a CISO. Meanwhile, factors most likely to raise costs included third-party error, rushed breach notification, and lost or stolen devices.

Delving into the root causes of breaches studied in this report, Ponemon found that 64 percent of breaches were caused by negligence or system failures, while approximately 37 percent were the result of malicious insiders or criminal hackers. Ponemon notes that this should be a wake-up call to the industry.

[Is malware getting around BIOS security measures? See BIOS Bummer: New Malware Can Bypass BIOS Security.]

"Everyone wants to hear about cyberattacks, and everyone wants to hear about cyberattacks and exfiltration of data by the Chinese or the proverbial bad guy, and those things are happening," he says, "but in our data, since the beginning of time the majority of cases are involving people problems or system failures. Both are the result of negligence in a way."

At the same time, though, malicious insider or criminal attacks cost $157 per breached record, far above the $122 per record for breaches caused by system glitches and $117 for those caused by human error. According to Ponemon and Symantec, they believe that study results generally point to a greater need to address both malicious and negligent insider threats within the enterprise.

"Our conversations with customers and our research does point to the insider threat continuing to be the bigger cause behind data loss and data breach events," says Linda Park, product marketing manager for Symantec. "While there is an uptick in the malicious attacks, companies really are still focused on insider threats overall and making sure that employees are trained, aware, and that they have the right enforcement in place to make sure people are doing the right things."

The analysis seems to contradict figures analyzed put together earlier in the year in the Verizon Data Breach Investigation Report (DBIR), which showed insider threats made up a small percent of the incidents they responded to. According to Ponemon, the mismatch in conclusions could potentially be attributed to a number of factors, including different reporting standards and a focus on number of incidents rather than cost of breaches.

"They were referring to malicious insiders, not just negligent or incompetent people, and sometimes there's a fine line between something you call malicious versus nonmalicious," Ponemon says. "This is a little conjecture, but it seems like sometimes companies are more likely to label something malicious as nonmalicious because they really don't believe that to be true, and they chalk that up to making a mistake. So I think a lot of the insider cases are not disclosed properly."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-23
Upwork Time Tracker doesn't verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the original update.exe.
PUBLISHED: 2019-07-23
GNUBOARD5 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board title contents" parameter, aka the adm/board_form_update.php bo_subject parameter.
PUBLISHED: 2019-07-23
Jsish 2.4.84 2.0484 is affected by: Reachable Assertion. The impact is: denial of service. The component is: function Jsi_ValueArrayIndex (jsiValue.c:366). The attack vector is: executing crafted javascript code. The fixed version is: after commit 738ead193aff380a7e3d7ffb8e11e446f76867f3.
PUBLISHED: 2019-07-23
If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thre...
PUBLISHED: 2019-07-23
A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supp...