The past year was a whirlwind of high-profile data breaches. There were nearly 900 data breaches in 2011, more than the prior two years[i], with over 31 million records breached[ii]. And, as the number of reported breaches continued to rise, organizations still paid a hefty cost for data breaches, according to this year’s Cost of a Data Breach Study. The organizational cost of a data breach was $5.5 million last year, and the cost per lost or stolen record was $194.
Let’s dive into some of the more interesting findings from this year’s study.
Malicious Attacks Most Costly Breaches
Malicious or criminal attacks are causing almost as many breaches as negligent insiders. In 2011, negligence was the root cause of 39 percent of the data breaches, while malicious attacks caused 37 percent of data breaches (up 6 points from 2010). For the first time malicious attacks account for more than a third of breaches; they also remain the most costly type of breach at $222 per compromised record.
New to this year’s study, the report includes the types of malicious attacks (see figure below). Not surprisingly, data-stealing malware is the leading attack type at 50 percent. The second most common type of malicious attack comes from within the organization – malicious insiders were involved in 33 percent of criminal attacks. That’s right, a third of malicious attacks involved rogue employees.
Organizations of all sizes are susceptible to malicious insider data theft. In a recent white paper, two forensic psychologists examined corporate data theft trends. The research they reviewed showed that in about half of corporate IP theft cases the employee stole trade secrets, followed by business information such as billing information or price lists. In other cases source code or proprietary software was taken, as well as customer information or business plans. This research also indicated that in 75 percent of cases the insider had authorized access to the data they stole, making it more difficult to solve the problem simply by strengthening security measures.
Data Breach Costs Declined
Dr. Larry Ponemon speculated last year that eventually data breach costs would start coming down because consumers will become somewhat immune to data breach news — data breach notifications will become so commonplace that customers just won’t care anymore. For the first time in seven years, both the organizational cost of data breach and the cost per lost or stolen record have declined. Only time will tell if we’ve truly reached this turning point, but this year’s Cost of a Data Breach Study certainly seems to support the notion.
More Customers Remain Loyal After Breach
The biggest impact on the cost of a data breach has always been lost business, and this year lost business costs sharply decreased from $4.5 million in 2010 to $3 million in 2011. These costs include abnormal turnover of customers, increased customer acquisition activities, reputation loss and diminished goodwill. For the first time, fewer customers are abandoning companies that have a data breach. The customer churn rate following a data breach decreased from 3.9 percent to 3.2 percent, which means more customers remain loyal after the data breach.
Clearly, we’re seeing a shift here. But it may be a bit premature to declare that consumers have become numb to data breach news (we’ll see what the data shows next year).
Know Your Potential Cost
While some may take the decrease in data breach costs as a good sign, it’s important to put things in perspective – data breaches still cost companies just shy of $200 per record. As organizations of all sizes battle an uptick in both internal and external threats, the question is, what would a data breach cost you?
Calculate your potential cost of a data breach at www.databreachcalcuator.com. This free tool from Symantec lets you connect the dots between all of this research and what it really means to you by estimating how a data breach could impact your company. You can check it out at www.databreachcalculator.com.
Symantec also recommends that you implement information protection best practices and technologies to reduce the risk of data breach incidents. Consider the following best practices to avoid data loss:
- Assess risks by identifying and classifying confidential information
- Educate employees on information protection policies and procedures (such as streamlined social media profiles), then hold them accountable
- Implement an integrated security solution that includes reputation-based security, proactive threat protection, firewall and intrusion prevention in order to keep malware off endpoints
- Deploy data loss prevention technologies which enable policy compliance and enforcement
- Proactively encrypt laptops to minimize consequences of a lost device
- Implement two-factor authentication (Ex. VPN plus strong user name and password)
- Integrate information protection practices into businesses processes
As always, I’d like to hear from you. What do you think about the findings from this year’s report?
[i] DataLossDB.org Cost of a Data Breach, data breach, data loss prevention, encryption, insider threat, malicious attacks