In the recently released Ponemon Cost of a Data Breach Report for 2011, the costs of data breaches declined for the first time in 7 years, both on an organizational and per-record basis. Although this does not mean the risks of data breaches have diminished, it offers interesting insight into what organizations may be doing to mitigate the costs.
The 7th annual analysis between Symantec and the Ponemon Institute looked at 49 data breach cases affecting 4,500 - 98,000 records per breach all across the Globe and in 14 different industries. The report looked into costs ranging from direct business costs (forensic experts, outsourcing hotline support) and indirect costs (in-house investigations, communication). Reports were compiled for specific countries as well as overall. For our purposes, we will examine the US Cost of Data Breach Report.
The report showed the changing composition of data breaches, highlighting that negligent insiders accounted for the largest proportion of data breaches for the year while malicious attacks were the most costly type of attack within the US.
"This year’s report shows that insiders continue to pose a serious threat to the security of their organizations. This is particularly true as the increasing adoption of tablets, smart phones and cloud applications in the workplace means that employees are able to access corporate information anywhere, at any time. It is essential for companies to put the proper information protection policies and procedures in place to counterbalance these new realities." - Francis deSouza, group president, Enterprise Products and Services, Symantec Corp
An interesting finding for the year concerns the ability of an organization to reduce the cost of a data breach with the hiring of a CISO (chief information security officer). Security technology (data loss prevention, two-factor authentication, encryption and tokenization) may also play a factor in the decline of data breach costs.
Highlights from the study:
The report offered some interesting correlations between proactive security initiatives and data breach costs. Although the data breaches may not have been avoided by these measures, organizations were able to reduce their costs quite substantially.