Data breach costs drop for first time

Despite 2011 bringing no slowdown to breaches, the price of each incident actually fell.

According to Symantec's annual "Cost of a Data Breach Study," for the first time since the survey began in 2006, the cost fell, from $US7.2 million ($A6.86 million) to $US5.5 million ($A5.24 million). Put another way, that worked out to $US194 ($A185) per compromised record, down from $US214 ($A204) in 2010.

Patricia Titus, CISO of Symantec, attributed the drop to organizations having a better handle on how to respond to security incidents. Outfits that conducted a thorough assessment of the breach before notifying victims and ones that had a designated security professional in charge of enterprise data protection tended to pay less per breach.

"It's now becoming business as usual," Titus told SCMagazine.com.

The study, conducted by the Ponemon Institute, analyzed 49 breaches, whose losses ranged from 4,500 to 98,000 records. It chose not to examine any of the mega-breaches from 2011 because they are not common and would skew the results.

The incidents' cost took into account a number of factors, including hiring forensic examiners, providing phone support to victims and offering credit monitoring services. Also included were "indirect costs," such as internal man hours devoted to detecting and responding to the breach, in addition to reputational harm and customer churn.

Detection rates declined, which means businesses are doing a better job of determining that a breach happened and locating the source of it, according to the report. However, due to myriad regulations, notification costs rose.

Meanwhile, the study found that fewer customers are turning their backs on companies that sustain data losses. Titus credited this to the availability of consumer tools to prevent ID theft, as well as more of a general acceptance that breaches happen.

"People are becoming more familiar with it," she said. "It's not something new. People are realizing that they if they do a few smart things, there's significantly less chance of [a financial] impact."

The study, which looked at breaches in 14 different sectors, reflected a rise in hacker attacks. It determined that half of the cases were due to a malware infection, while a third were caused by a "criminal insider." Another 28 percent of the breaches involved the theft of a device containing personal information.

This article originally appeared at scmagazineus.com