Ponemon and Symantec 2013 Cost of Data Breach Study Says 'We' are the Enemy in Most Cases

By Peter Bernstein June 05, 2013

It is report season in the security industry, as witnessed by my earlier item just this past week coming from McAfee on various cyber threats. In keeping with the season, it seems appropriate that Ponemon and Symantec this week released their annual 2013 Cost of Data Breach Study: Global Analysis, and it is interesting on two big fronts:

  • Causes of data breaches
  • How much data breaches cost on average

This is the eighth annual global report. It is based on the actual data breach experiences of 277 companies in nine countries including the United States, United Kingdom, France, Germany, Italy, India, Japan, Australia, and Brazil. Ponemon Institute, who crunches the numbers, notes that it does not include “mega data breaches” of more than 100,000 compromised records. This is because it would skew the results, and the picture painted is troubling enough without inclusion of the big breaches.

Highlights of the study

At a high level the two big areas noted above revealed the following findings:

  • Roughly 66 percent of data breaches looked at in 2012 in the study areas were caused by human errors or systems failures
  • The global average cost per record compromised was USD $136

While the details in the report are certainly worth reviewing, the following two charts tell the story.

Source: Ponemon Institute 2013 Cost of Data Breach Study: Global Analysis 

Source:  Ponemon Institute 2013 Cost of Data Breach Study: Global Analysis

In commenting on the findings, Larry Ponemon, chairman, Ponemon Institute stated, “While external attackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destructive and insidious…Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organizations today, up 22 percent since the first survey.”

In discussing another important finding detailed in the study about how companies that are better protected could demonstrate the value of that protection, Anil Chakravarthy, executive vice president of the Information Security Group, Symantec stated,  “Given organizations with strong security postures and incident response plans experienced breach costs 20 percent less than others, the importance of a well-coordinated, holistic approach is clear…Companies must protect their customers’ sensitive information no matter where it resides, be it on a PC, mobile device, corporate network or data center.”

Additional key findings included:

  • Average cost per data breach varies widely worldwide. Many of these differences are due to the types of threats that organizations face, as well as the data protection laws in the respective countries. Some countries such as Germany, Australia, the United Kingdom and United States, have more established consumer protection laws and regulations to strengthen data privacy and cyber security. United States and Germany continue to incur the most costly data breaches (at an average cost per compromised record of $188 and $199 respectively). These two countries also had the highest total cost per data breach (United States at $5.4 million and Germany at $4.8 million).
  • Mistakes made by people and systems are the main causes of data breach. Together human errors and system problems account for 64 percent of data breaches in the global study, while prior research shows that 62 percent of employees think it is acceptable to transfer corporate data outside the company and the majority never delete the data, leaving it vulnerable to data leaks. This illustrates the large extent to which insiders contribute to data breaches and how costly that loss can be to organizations. Brazilian companies were most likely to experience breaches caused by human error. Companies in India were the most likely to experience a data breach caused by a system glitch or business process failure. System glitches include application failures, inadvertent data dumps, logic errors in data transfer, identity or authentication failures (wrongful access), data recovery failures, and more.
  • Malicious and criminal attacks are the most costly everywhere. Consolidated findings show that malicious or criminal attacks cause 37 percent of data breaches and are the most costly data breach incidents in all nine countries. U.S. and German companies experience the most expensive data breach incidents caused by malicious or criminal attackers at $277 and $214 per compromised records, respectively, while Brazil and India had the least costly data breach at $71 and $46 per record, respectively. German companies were also most likely to experience a malicious or criminal attack, followed by Australia and Japan.
  • Some organizational factors decrease the cost. U.S. and U.K. companies received the greatest reduction in data breach costs by having a strong security posture, incident response plan and CISO appointment. The U.S. and France reduced costs by engaging data breach remediation consultants.

Symantec not surprising has some common sense suggestions regarding best practices to follow in order to prevent a data breach and reduce costs in the event of one:

  1. Educate employees and train them on how to handle confidential information
  2. Use data loss prevention technology to find sensitive data and protect it from leaving your organization
  3. Deploy encryption and strong authentication solutions
  4. Prepare an incident response plan including proper steps for customer notification

And, if you want to see where your organization stacks up in terms of its risk exposure Symantec lets you do a rough estimate if you visit Symantec’s Data Breach Risk Calculator. When you enter your organization’s size, industry, location and security practices the output is per record and an organizational estimate. These kinds of calculators can be useful or frightening depending on your results. However, like the study itself, it might be painful but it is good to know.

 




Edited by Jamie Epstein
SHARE THIS ARTICLE
Related Articles

Four Reasons to Reach for the Cloud after World Earth Day

By: Special Guest    4/23/2018

The World Earth Day agenda offers a chance to flip the rationale for cloud adoption and highlight environmental benefits that the technology brings pr…

Read More

Bloomberg BETA: Models Are Key to Machine Intelligence

By: Paula Bernier    4/19/2018

James Cham, partner at seed fund Bloomberg BETA, was at Cisco Collaboration Summit today talking about the importance of models to the future of machi…

Read More

Get Smart About Influencer Attribution in a Blockchain World

By: Maurice Nagle    4/16/2018

The retail value chain is in for a blockchain-enabled overhaul, with smarter relationships, delivering enhanced transparency across an environment of …

Read More

Facebook Flip-Flopping on GDPR

By: Maurice Nagle    4/12/2018

With GDPR on the horizon, Zuckerberg in Congress testifying and Facebook users questioning loyalty, change is coming. What that change will look like,…

Read More

The Next Phase of Flash Storage and the Mid-Sized Business

By: Joanna Fanuko    4/11/2018

Organizations amass profuse amounts of data these days, ranging from website traffic metrics to online customer surveys. Collectively, AI, IoT and eve…

Read More