Can Your Enterprise Afford A $6.6 Million Data Breach?
By Susan Nunziata
A lost laptop was the cause of a data breach for more than one third (35%) of the companies surveyed in the 2008 Ponemon Institute
's Fourth Annual Cost Of A Data Breach study.
The average cost of a data breach rose 2.5% in 2008 to $202 per record, from $197 per record in 2007, according to the report, which is sponsored by PGP Corp
In addition to lost laptops, "we found that another large group of companies lost information by virtue of other [portable] data-bearing devices," says Dr. Larry Ponemon, Chairman & Founder of The Ponemon Institute. "It could have even been a USB memory stick, a Treo, an iPhone. Mobile devices are basically the root cause to a lot of this cost that we've been studying over the years. And it seems to be on the increase, rather than decreasing. Especially as more of these devices are small and they're readily available and they're integrated into someone's work."
Adds Ponemon: "It's clear that mobility, while it's a great thing, does have commensurate costs, data breach being one of those costs if in fact the device is lost or stolen."
The study examines the costs incurred by 43 organizations after experiencing a data breach. Breaches included in the survey ranged from fewer than 4,200 records to more than 113,000 records from 17 different industry sectors.
The average total cost per reporting company was more than $6.6 million per breach (up from $6.3 million in 2007 and $4.7 million in 2006) and ranged from $613,000 to almost $32 million.
Insecure wireless networks are also a big culprit, says Ponemon. "We have a category called system glitches. One of the system glitches we've detected, not only in this study but in other studies that our Institute conducts concerns insecure wireless networks. We find that more and more organizations are reporting breaches because, say, an employee travelling on business happens to be at an airport, wants to get email from her or his laptop computer and it's an insecure wireless network and . . . information is potentially stolen. So we're seeing wireless networks increasing as a root cause of data loss in a lot of our studies, not just this study."
Ponemon adds, "Insecure wireless networks are pervasive. People use [them] because [they're] convenient. [Employees] are not actually thinking about the security implications until it's too late."
In fact, employee negligence of all stripes accounts for the vast majority (88%) of all data breaches in the study, with the remaining 12% caused by malicious acts. Yet the latter end up costing an organization $225 per record, compared with $199 per record when the cause is employee negligence.
The reason? A malicious breach "requires more resources, forensic resources, detection resources, and actually probably other legal defense issues that could add up and be much more costly for a company," says Ponemon.
From The Outside In
Breaches by third-party organizations such as outsourcers, contractors, consultants, and business partners were reported by 44% of respondents in 2008, up from 40% in 2007.
A third-party breach is defined as a case where a third party (such as professional services, outsourcers, vendors, business partners) was in the possession of the data and responsible for its protection.
In comparison, an in-house breach is defined as a case where the protection of data was the responsibility of the organization itself (by an employee or for data on the corporate network, for example).
This type of breach has continued to escalate. Third-party breaches accounted for slightly more than one quarterd of all breaches (29%) in 2006, and about one fifth (21%) in 2005.
Per-victim cost for third party flubs is $52 higher (e.g., $231 vs. $179) than if the breach is insider caused.
Bottom Line Impact
Lost business continues to be the most costly effect of a breach, accounting for an average total of $4.59 million per breach, or $139 per record compromised. In 2008, lost business accounted for 69% of a data breach's costs, compared with 65% in 2007 and 54% in 2006.
Training and awareness programs lead companies' efforts to prevent future breaches, according to 53% of respondents. Nearhly half (49%) are creating additional manual procedures and controls.
Of the technology options deployed to prevent future breaches, 44% of companies have expanded their use of encryption technologies, 40% increased their use of identity and access management solutions, 26% expanded their use of endpoint security solutions such as laptop anti-theft, and 16% strengthened the perimeter controls of their networks.
Beware The Economic Meltdown
The current economic conditions may create a perfect storm of data vulnerability this year, according to John Dasher, Director Of Product Marketing with PGP. "It's always harder for an external third party to hack into a company, and then figure our where data of value might be. It's a big job. It does happen. It's non trivial."
On the other hand, insider theft is far more insidious because it's much easier to accomplish, says Dasher. "It's really about access. [Insiders] tend to know where the valuable data is."
As corporations downsize in a down economy, "You could end up with people with high levels of data access who lose their jobs and are quite disgruntled. And disgruntled employees sometimes do pretty terrible things on the way out the door. With mobile devices having the capacity they have, it's a pretty easy thing for someone with a nice sized thumb drive to download all kinds of important data and unleash that, or sell that."
That said, cyber criminals shouldn't be underestimated, warns Ponemon. "There's evidence to suggest the typical cyber criminal is getting better and more sophisticated [than ever]."
With the current rash of mergers and acquisitions, "as companies rush to consolidate and bring all of this data together, it's a very vulnerable time, and cyber criminals strike at vulnerability," says Ponemon. "This is a time where companies need to be especially vigilant."