Data breaches cost organisations $US7.2 million last year, a rise of 7 percent, a Symantec-Ponemon study found.
The sixth annual study, which assessed the costs of activities resulting from the actual data breach experiences of 51 US organisations, found that the incidents cost companies an average of $214 a compromised record. This is the fifth consecutive year that costs have increased.
The most expensive breach analysed cost $US35.3 million, while the lowest was $US780,000. A chief executive officer told researchers he was “extremely overwhelmed” by the costs associated with his organisation's breach, said Larry Ponemon chairman and founder of the Ponemon Institute.
“It's not uncommon that people will say, 'That's a pretty expensive proposition and we might be underestimating it,'” Ponemon said.
Business costs, such as customer loss and decreases in employee productivity, were the biggest proportion of breach costs, according to the study. Other expense areas resulted from detection or discovery of the breach, notification and response activities to help victims.
The study found that moving too quickly through the breach process may cause inefficiencies that ratchet up costs. Forty-three percent of respondents said they notified victims within one month of discovering the breach. These quick responders paid an average of $268 per lost record, compared to $174 paid by organisations that took longer.
“Organisations that are fast are also less precise when identifying who is at risk,” Ponemon said. “So, there's this over-reporting phenomenon, which can lead to the loss of customers.”
But companies may feel pressure to report the breach and notify victims as quickly as possible due to regulations and laws, according to the study.
Malicious or criminal attacks were increasingly the root cause of breaches, according to the study. Last year, 31 percent of cases involved criminal attacks, up 7 percent from 2009.
Negligence is the most prevalent cause of breaches, accounting for 41 percent of incidents last year.
On a positive note, organisations were more vigilant. The prevalence of breaches due to system failures, lost or stolen devices, and third-party mistakes all decreased from the year before. And more companies placed a chief information security officer in charge of breach response.
To prevent future data leakage, nearly two-thirds of respondents said they implemented training and awareness programs. Also, 61 percent said they expanded their use of encryption after a breach, up three percent from the previous year. Other popular preventative measures included adding more manual procedures and controls and deploying identity and access management or data leakage prevention solutions.
Brian Tokuyoshi, senior product marketing manager for Symantec said that deploying encryption before a breach could lead to cost savings. Data breach regulations vary by state but organisations typically were not required to notify individuals when missing data is encrypted.
“We've seen a lot of encryption projects get taken up after a breach,” he said. “That is usually too late. It's not going to do anything to help data that's already been lost.”
Other best practices for avoiding data breaches include educating employees on information protection policies and procedures and assessing risks by identifying and classifying confidential information, according to the study.