For the first time in seven years—and despite numerous high-profile incidents—the average cost of a data breach fell in 2011, according to new findings released by Symantec and the Ponemon Institute.
"Nearly shocking to me, the cost of data breach declined," says Dr. Larry Ponemon, chairman and founder of research think tank Ponemon Institute. "It's still not chump change."
The study found the average organizational cost per data breach was $5.5 million in 2011, down 24 percent from $7.2 million in 2010. Additionally, the cost per compromised record fell to $194 per record, down $20 (10 percent) from 2010. That's the lowest cost per compromised record since 2007.
Ponemon Institute has conducted this benchmark study for seven years using the activity-based costing model developed by Harvard University Professor Robert S. Kaplan. Dr. Ponemon explains the model starts with the detection or study of a data breach incident and takes into account forensic and investigative activities, incident response, notification, legal, consulting, outbound communication and call center activities, activities to maintain customer confidence and trust, direct churn, secondary churn and increased customer acquisition costs. The study investigated 49 actual data breach incidents across 14 industry sectors in the U.S.
A decline in lost business costs—abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill—drove the overall decline in data breach costs. Lost business costs fell to $3.01 million in 2011, down 34 percent from $4.54 million in 2010.
Data Breach Notifications Too Rapid?
While the decline in costs should benefit businesses, the reason for the decline may not be so reassuring.
"I think the root cause is that people are maybe becoming a little numb to the notification," Dr. Ponemon says when asked to speculate on the driver for the decline in lost business costs. "Maybe most of us by now have received one if not more notifications. Over time, if you don't become a data breach victim as a result of the event, it begins to lose its impact. These notifications are becoming almost ubiquitous. It's hard to determine which ones I should care about."
And, in fact, notification costs were up 10 percent in 2011, from $511,454 in 2010 to $561,495 in 2011. Dr. Ponemon noted that new laws and regulations governing data breach notification played a role in that increase.
The Ponemon Institute also found that organizations that respond to a breach too quickly and send notifications to customers immediately rather than first taking a thorough assessment of the data breach paid on average $33 more per compromised record. Additionally, organizations responding to their first data breach event paid an average of $37 more per compromised record. Data breaches caused by third parties or due to lost or stolen devices also increased the average cost of compromised records by $26 and $22, respectively.
Organizations with CISOs Pay Less
Companies prepared to deal with data breaches, paid less on average. For instance, organizations with a chief information security officer (CISO) with overall responsibility for enterprise data protection reduced their costs by as much as $80 per compromised record. The hiring of outside consultants to assist with breach response could save as much as $41 per compromised record.
"One of the most interesting findings of the 2011 report was the correlation between an organization having a CISO on its executive team and reduced costs of a data breach," Dr. Ponemon says. "As organizations of all sizes battle an uptick in both internal and external threats, it makes sense that having the proper security leadership in place can help address these challenges."
Dr. Ponemon notes, however, that it is not the existence of an executive with the CISO title that drives down the costs. Rather it is an indicator of a company that takes the threat seriously and has established good governance to mitigate the risk.
The study found that, as in past years, negligent insiders and malicious attacks are the main causes of data breaches. Thirty-nine percent of organizations say negligence was the root cause of data breaches, while malicious or criminal attacks account for 37 percent of total breaches. Malicious attacks also represent the most costly data breaches.
"This year's report shows that insiders continue to pose a serious threat to the security of their organizations," says Francis deSouza, group president of Enterprise Products and Services at Symantec. "This is particularly true as the increasing adoption of tablets, smart phones and cloud applications in the workplace means that employees are able to access corporate information anywhere, at any time. It is essential for companies to put the proper information protection policies and procedures in place to counterbalance these new realities."
Data Breach Prevention Best Practices
Symantec recommends that organizations follow these best practices:
Assess risks by identifying and classifying confidential information
Educate employees on information protection policies and procedures, then hold them accountable
Implement an integrated security solution that includes reputation-based security, proactive threat protection, firewall and intrusion prevention in order to keep malware off endpoints
Deploy data loss prevention technologies to enable policy compliance and enforcement
Proactively encrypt laptops
Implement two-factor authentication
Integrate information protection practices into business processes
Symantec has also released a free Data Breach Risk Calculator to help you estimate how much a data breach could cost on both a per record and organizational basis. It takes into account an organization's size, industry, location and security practices.
Thor Olavsrud is a senior writer for CIO.com. Follow him @ThorOlavsrud.