IT | Security

The Cost of a Data Breach in 2011

By: Absolute Team | 3/28/2012

In the recently released Ponemon Cost of a Data Breach Report for 2011, the costs of data breaches declined for the first time in 7 years, both on an organizational and per-record basis. Although this does not mean the risks of data breaches have diminished, it offers interesting insight into what organizations may be doing to mitigate the costs.

The 7th annual analysis between Symantec and the Ponemon Institute looked at 49 data breach cases affecting 4,500 - 98,000 records per breach all across the Globe and in 14 different industries. The report looked into costs ranging from direct business costs (forensic experts, outsourcing hotline support) and indirect costs (in-house investigations, communication). Reports were compiled for specific countries as well as overall. For our purposes, we will examine the US Cost of Data Breach Report.

The report showed the changing composition of data breaches, highlighting that negligent insiders accounted for the largest proportion of data breaches for the year while malicious attacks were the most costly type of attack within the US.

"This year’s report shows that insiders continue to pose a serious threat to the security of their organizations. This is particularly true as the increasing adoption of tablets, smart phones and cloud applications in the workplace means that employees are able to access corporate information anywhere, at any time. It is essential for companies to put the proper information protection policies and procedures in place to counterbalance these new realities." - Francis deSouza, group president, Enterprise Products and Services, Symantec Corp

An interesting finding for the year concerns the ability of an organization to reduce the cost of a data breach with the hiring of a CISO (chief information security officer). Security technology (data loss prevention, two-factor authentication, encryption and tokenization) may also play a factor in the decline of data breach costs.

Highlights from the study:

  • The organizational costs of a data breach was $5.5 million in 2011 (down from $7.2 million in 2010) and $194 per record (down from $214)
  • 39% of organizations say negligence was the root cause of the data breach (insiders)
  • Malicious or criminal attacks account for more than 1/3 of the total breaches in the study; they remain the most costly type of breaches.
  • Data breaches caused by third parties or a lost or stolen device increased the costs per record by $26 and $22, respectively
  • Organizations with a CISO having enterprise-wide responsibility for data protection can reduce the cost of a data breach by 35% or $80 per compromised record
  • Outside consultants assisting with the breach response can save organizations as much as $41 per record.

The report offered some interesting correlations between proactive security initiatives and data breach costs. Although the data breaches may not have been avoided by these measures, organizations were able to reduce their costs quite substantially.