Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Data breaches cost organisations $US7.2 million last year, a rise of 7 percent, a Symantec-Ponemon study found.
The sixth annual study, which assessed the costs of activities resulting from the actual data breach experiences of 51 US organisations, found that the incidents cost companies an average of $214 a compromised record. This is the fifth consecutive year that costs have increased.
The most expensive breach analysed cost $US35.3 million, while the lowest was $US780,000. A chief executive officer told researchers he was “extremely overwhelmed” by the costs associated with his organisation's breach, said Larry Ponemon chairman and founder of the Ponemon Institute.
“It's not uncommon that people will say, 'That's a pretty expensive proposition and we might be underestimating it,'” Ponemon said.
Business costs, such as customer loss and decreases in employee productivity, were the biggest proportion of breach costs, according to the study. Other expense areas resulted from detection or discovery of the breach, notification and response activities to help victims.
The study found that moving too quickly through the breach process may cause inefficiencies that ratchet up costs. Forty-three percent of respondents said they notified victims within one month of discovering the breach. These quick responders paid an average of $268 per lost record, compared to $174 paid by organisations that took longer.
“Organisations that are fast are also less precise when identifying who is at risk,” Ponemon said. “So, there's this over-reporting phenomenon, which can lead to the loss of customers.”
But companies may feel pressure to report the breach and notify victims as quickly as possible due to regulations and laws, according to the study.
Malicious or criminal attacks were increasingly the root cause of breaches, according to the study. Last year, 31 percent of cases involved criminal attacks, up 7 percent from 2009.
Negligence is the most prevalent cause of breaches, accounting for 41 percent of incidents last year.
On a positive note, organisations were more vigilant. The prevalence of breaches due to system failures, lost or stolen devices, and third-party mistakes all decreased from the year before. And more companies placed a chief information security officer in charge of breach response.
To prevent future data leakage, nearly two-thirds of respondents said they implemented training and awareness programs. Also, 61 percent said they expanded their use of encryption after a breach, up three percent from the previous year. Other popular preventative measures included adding more manual procedures and controls and deploying identity and access management or data leakage prevention solutions.
Brian Tokuyoshi, senior product marketing manager for Symantec said that deploying encryption before a breach could lead to cost savings. Data breach regulations vary by state but organisations typically were not required to notify individuals when missing data is encrypted.
“We've seen a lot of encryption projects get taken up after a breach,” he said. “That is usually too late. It's not going to do anything to help data that's already been lost.”
Other best practices for avoiding data breaches include educating employees on information protection policies and procedures and assessing risks by identifying and classifying confidential information, according to the study.
This article originally appeared at scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.