Lately not a day goes by without a major news story on cybercriminals, hacktivists, and spies.  These are generally viewed as the main threat actors behind the data breaches that we spend so much time — and budget — fighting. But what about Anne in Accounting, Sam in Sales and Paul in Production? While malicious attacks are certainly a significant problem and make for thrilling headlines, it’s mistakes made by people and systems that actually cause the majority of data breaches.

According to the 2013 Cost of a Data Breach study, negligence and system glitches together accounted for 64 percent of data breaches last year. These can include employees mishandling information, violations of industry and government regulations, inadvertent data dumps, stolen laptops, and wrongful access.

In today’s global economy, it’s no secret that many organizations rely on third parties for critical business activities. While outsourcing isn’t a new concept, the rise of readily available cloud-based and everything-as-a-service solutions is rapidly increasing an organization’s liability and risk landscape – often with limited IT oversight.

Unfortunately many enterprises relying on third-party vendors often assume that these third parties properly protect their sensitive employee, customer and business data. Sadly, this is not always the case. Consider these data points:

• Only 24 percent of respondents require third-party suppliers or partners to comply with baseline security procedures. [1]
• Although 84 percent of senior IT decision makers [were] concerned or very concerned about the risks associated with IT security breaches, 55 percent of CIOs have not tested cloud vendors’ security systems and procedures. [2]

It took only nine days for a $5 million class-action lawsuit to be filed against one of the latest companies to suffer a high-profile data breach. It will likely take years to see fines levied against the company and for the courts to decide if damages should be awarded to victims. But, even before fines and damages, the costs of a data breach are significant and, according to the 3^rd Annual Global Cost of a Data Breach Study, they’re rising worldwide.

When you dig into the details of this year’s study – and I invite you to do just that – there are some striking differences across the globe. From the causes of breaches to the cost of lost business, no two countries are exactly the same. But, there are some global trends to keep an eye on.

Overall costs are rising

U.S. companies are paying more to notify people impacted by data breaches, according to the 2011 Cost of a Data Breach Study: United States. The average cost to notify victims of breach increased in this year’s study from approximately $510,000 to $560,000. At the same time, the average size of a breach is down 16 percent and the costs associated with the detection and escalation of data breach events declined as well, suggesting that companies may be more efficient in investigating data breaches.

So, if companies are better at detecting breaches and breaches involve fewer records, why are notification costs continuing to creep up?

The simple answer is there are more laws and regulations governing data breach notification. Forty-six states now have data breach notification laws and there are other regulatory requirements to deal with, for instance HIPAA and HITECH. While each state’s requirements for notification vary, notification is typically required when personal identifying information (PII) has been or is “reasonably believed” to have been breached.

The past year was a whirlwind of high-profile data breaches. There were nearly 900 data breaches in 2011, more than the prior two years[i], with over 31 million records breached[ii]. And, as the number of reported breaches continued to rise, organizations still paid a hefty cost for data breaches, according to this year’s Cost of a Data Breach Study. The organizational cost of a data breach was $5.5 million last year, and the cost per lost or stolen record was $194.

Let’s dive into some of the more interesting findings from this year’s study.

Malicious Attacks Most Costly Breaches

Malicious or criminal attacks are causing almost as many breaches as negligent insiders. In 2011, negligence was the root cause of 39 percent of the data breaches, while malicious attacks caused 37 percent of data breaches (up 6 points from 2010). For the first time malicious attacks account for more than a third of breaches; they also remain the most costly type of breach at $222 per compromised record.

It seems that no matter where you are, you’re paying more for data breach these days. The Ponemon Institute, together with Symantec, released results of the second annual 2010 Global Cost of a Data Breach report today. The average cost of a data breach has now reached $4 million, up 18 percent from 2009, and the average cost per compromised record jumped 10 percent to $156. Costs still vary between regions. The United States had the highest cost per compromised record at $214, followed by Germany at $191, France at $136, Australia at $123 and the United Kingdom at $114 (a whopping $100 less than the United States).

But enough with the numbers, the interesting stuff is what’s behind the rising global cost of a data breach. It’s certainly true that companies face intense pressure to improve data security. In 2010, there was no shortage of high-profile data breach incidents making headlines in the global media. High-profile data breaches really aren’t anything new—though their probably getting more attention than in years past. What has continued to evolve is regulation.

Most privacy advocates and people in the data protection community believe that data breach costs will start coming down eventually because consumers will become somewhat immune to data breach news. The idea is that data breach notifications will become so commonplace that customers just won’t care anymore.

But, that hasn’t happened yet. The latest U.S. Cost of a Data Breach report (PDF), which was just released today, shows that costs continue to rise. This year, they reached $214 per compromised record and averaged $7.2 million per data breach event. The fact is that individuals still care deeply about their personal information and they lose trust in companies that fail to protect it.

It’s not only direct costs of a data breach, such as notification and legal defense costs that impact the bottom line for companies, but also indirect costs like lost customer business due to abnormal churn. This year’s study showed some very interesting results. In my view, there are a few standout trends.

Next week, Symantec will announce the results of the 2010 Annual Study: U.S. Cost of a Data Breach from the Ponemon Institute, which examines trends in costs and causes of data breaches, as well as best practices to avoid them. One aspect of this research examines the major causes of data breaches.

But, before we announce the official results, we want to hear from you.

Tell us what you think.

 Loading ...