Data breaches cost organisations US$204 per record in 2009

Data breaches last year cost organisations US$204 (A$226) per exposed record on average, which represents an almost two percent increase over 2008, according to the fifth annual "Cost of  Data Breach" study released this week by the Ponemon Institute.

“I am surprised that the number keeps on going up,” Larry Ponemon, chairman and founder of the Ponemon Institute, told SCMagazineUS.com on Friday. “Even though it's a small amount, it suggests to us that people still deeply care about data breaches.”

The study, which examined the experiences of 45 companies that suffered breaches last year, also found that the number of data breaches that were caused by malicious attacks and botnets doubled from 12 percent in 2008 to 24 percent in 2009. In addition, data breaches caused by malicious attacks cost organisations 30 to 40 percent more on average than those caused by human negligence or by IT system glitches.

“For the first time, companies participating in the study reported that data-stealing malware caused their breaches,” the study reported.

More commonly, however, 42 percent of all data breaches last year resulted from third-party mistakes. 36 percent of breaches involved lost or stolen laptops or other mobile devices.

The most expensive data breach included in this year's study cost one organisation nearly US$31 million to resolve, and the least expensive breach cost US$750,000. Lost business makes up the largest portion of breach costs, totaling US$135 per record lost on average, a slight decrease from US$139 in 2008, the study found. Ex-post response activities, which include providing credit monitoring services and other assistance to breach victims, cost US$46 per record last year, up from US$39 in 2008.

“One of the main reasons for an increase in ex-post response costs is due to the increase in legal defense costs,” the study said. “This can be attributed to increasing fears of successful class actions resulting from customer, consumer or employee data loss.”

Other data breach costs include activities that enable organisations to detect the breach, which totaled US$8 per record on average last year, and costs to notify breach victims, which totaled US$15 per record.

Notifying breach victims too early, however, may raise total breach costs. Those who notified breach victims within one month paid US$219 per record exposed, on average, versus US$196 paid by those who waited longer.

“Companies striving to make a deadline, sometimes cut corners on forensics,” Ponemon said, adding that doing so can result in over-reporting the extent of the breach, which can be very costly.

Companies which have experienced a breach need to provide timely communication, but also must take enough time to fully investigate the breach to determine who is harmed, how it happened and how to remediate the problem, the Ponemon report said.

Another finding was that having a CISO, or equivalent position, could decrease data breach costs by 50 percent. Companies with a CISO paid US$157 per compromised record, on average, compared to those which did not have a CISO. They paid US$236 per compromised record.

Companies with a CISO fare better after breaches because they have security strategies in place to protect the company's assets and to respond to such incidents, Tim Matthews, senior director of product marketing at encryption firm PGP, which sponsored the study, told SCMagazineUS.com.

“A CISO can be a focal point and leader,” Matthews said. “Response costs and coordination could be cheaper with someone in that role.”

Besides having a CISO, organisations should consider using encryption technology to help protect data, the study said.

See original article on scmagazineus.com