The past year was a whirlwind of high-profile data breaches. There were nearly 900 data breaches in 2011, more than the prior two years[i], with over 31 million records breached[ii]. And, as the number of reported breaches continued to rise, organizations still paid a hefty cost for data breaches, according to this year’s Cost of a Data Breach Study. The organizational cost of a data breach was $5.5 million last year, and the cost per lost or stolen record was $194.

Let’s dive into some of the more interesting findings from this year’s study.

Malicious Attacks Most Costly Breaches

Malicious or criminal attacks are causing almost as many breaches as negligent insiders. In 2011, negligence was the root cause of 39 percent of the data breaches, while malicious attacks caused 37 percent of data breaches (up 6 points from 2010). For the first time malicious attacks account for more than a third of breaches; they also remain the most costly type of breach at $222 per compromised record.

The Internet has grown to be one of the most important information and business conduits the world has ever seen.  While it’s brought us amazing, new capabilities over the past 15 years or so, the Internet comes with its downside.  Much like the days when America was stretching itself from the east to the west, the “wild west” was a ripe playground for “bad” people. The same goes for the Internet.

It is a double-edged sword. We have amazing capabilities, but also a perfect landscape for lawlessness.  Hackers and cybercriminals have taken note. Today, they leverage the Internet to target specific individuals or groups of individuals at specific companies, get them to react to an email message thereby directing them to an attacker’s site and silently download malware to begin the process of gaining access and stealing data or IP.  What’s more, they’re automating their attacks. Sophisticated attackers are leveraging the power of scripting tools and computing power to call together vast amounts of computers to aide in perpetrating automated attacks.

IT is constantly adapting to new realities spurred by the types of technologies that people are using and bringing into the enterprise environment. One of the most disruptive technologies of late has been iOS devices. These devices are massively popular, and for good reason. Whether you’re a vice president keeping up on the latest sales reports mid-flight via their iPad or a physician accessing medical reports while meeting with his patient, iOS devices can improve productivity.

Platforms such as iOS have been designed from the ground up to be more secure—they raise the bar by leveraging techniques such as application isolation, provenance, device encryption, and permission-based access control. However, these devices were designed for consumers and, as such, security has been traded off for usability to varying degrees. It’s this usability that makes them so popular among consumers.

It seems that no matter where you are, you’re paying more for data breach these days. The Ponemon Institute, together with Symantec, released results of the second annual 2010 Global Cost of a Data Breach report today. The average cost of a data breach has now reached $4 million, up 18 percent from 2009, and the average cost per compromised record jumped 10 percent to $156. Costs still vary between regions. The United States had the highest cost per compromised record at $214, followed by Germany at $191, France at $136, Australia at $123 and the United Kingdom at $114 (a whopping $100 less than the United States).

But enough with the numbers, the interesting stuff is what’s behind the rising global cost of a data breach. It’s certainly true that companies face intense pressure to improve data security. In 2010, there was no shortage of high-profile data breach incidents making headlines in the global media. High-profile data breaches really aren’t anything new—though their probably getting more attention than in years past. What has continued to evolve is regulation.

Take a minute if you will and consider the following scenario. It’s likely a familiar one; just do a quick Internet search of data breaches and it will pop up again and again and again.

Company XYZ has a security policy that mandates the use of encrypted USB storage and issues the appropriate devices to its users. However, the company still finds itself at risk from a data breach because users continue to use unencrypted portable storage.

I’d bet that the CEO of this company, and every company dealing with such a data breach, was caught by surprise. After all, they had a security policy in place and they issued encrypted devices to their staff, yet still there’s an incident of data loss that they must deal with.

There’s little question that enterprises and consumers are facing increased threats from cybercriminals. It seems that every day, we are hearing about another government entity or large business being hacked and losing files in more insidious ways.

Encryption has been the standard technology for decades to protect data wherever it is – in motion, in use and in storage. For years, 1024-bit encryption has been popular to protect sensitive commercial and government data. Given the constant advancements in computing power, however, it’s a given that encryption that is good enough today will not be good enough down the road.

In anticipation of this need for ever-greater security, the National Institute of Standards and Technology (NIST) has mandated the adoption of 2048-bit encryption by the end of 2013. This announcement, however, does not mean that 1024-bit encryption is no longer sufficient today. The fact remains that 1024-bit encryption has never been cracked – and it would take millions of computers and a couple years to break just one code at that level.

It seems not a week goes by that we don’t hear about a data loss incident in the healthcare industry, be it a provider or payer. Despite the regular headlines, the number of data breaches in the healthcare industry is on the rise. Healthcare IT News reports that more than 6 million people have been affected by breaches of protected health information since the HITECH Act breach notification went into effect. And in 2010, the Identify Theft Resource Center (ITRC) recorded 160 data breaches in the health/medical category—that’s more than double the 2009 total.

What’s more, data breaches in healthcare cost $301 per record, which is $87 more per record than the average. For more stats on the cost of a data breach, check out the Ponemon Institute’s U.S. Cost of a Data Breach study.

Most privacy advocates and people in the data protection community believe that data breach costs will start coming down eventually because consumers will become somewhat immune to data breach news. The idea is that data breach notifications will become so commonplace that customers just won’t care anymore.

But, that hasn’t happened yet. The latest U.S. Cost of a Data Breach report (PDF), which was just released today, shows that costs continue to rise. This year, they reached $214 per compromised record and averaged $7.2 million per data breach event. The fact is that individuals still care deeply about their personal information and they lose trust in companies that fail to protect it.

It’s not only direct costs of a data breach, such as notification and legal defense costs that impact the bottom line for companies, but also indirect costs like lost customer business due to abnormal churn. This year’s study showed some very interesting results. In my view, there are a few standout trends.

Last November, we posted about a potential issue with the Mac 10.6.5 (or later) upgrade process and PGP Whole Disk Encryption 10.0.X. Since then, Symantec has provided both a workaround and hotfix to address the client problem encountered with PGP Whole Disk Encryption when updating Mac OS X. A maintenance release that will proactively address this issue is now available.

Symantec has released PGP Whole Disk Encryption 10.1.1 for Mac OS X. After installation of this update, PGP customers can safely update their OS version to Mac OS X 10.6.5 (or later).

For more information on this maintenance release, refer to the post on Symantec’s Encryption Blog.

Complete instructions for how to successfully update to 10.6.5 can be found in this Knowledgebase article.

Malcolm Harkins is Chief Information Security Officer, Intel Corporation.

Recently, I sat down with several other IT security experts and reporters to provide context to a study of the nagging and, as it turns out, incredibly expensive problem of missing laptop PCs. The study found that the odds of having your laptop lost or stolen are as high as 1 in 10.  This won’t surprise many CISOs who regularly field reports of laptops vanishing at airports, customer conference rooms, homes and through shattered car windows.  Likely most would be shocked at the cost.  The 300 companies shared a $2.1 billion bill by and large to cover the ramifications from potentially compromised information on the hard drives.

There was one stat, however, that really stunned me – 70 percent of those companies do nothing to protect their laptops and data.  No encryption.  No back-up.  No antitheft technologies.