Ponemon and Symantec 2013 Cost of Data Breach Study Says 'We' are the Enemy in Most Cases

June 05, 2013
By: Peter Bernstein

It is report season in the security industry, as witnessed by my earlier item just this past week coming from McAfee (News - Alert) on various cyber threats. In keeping with the season, it seems appropriate that Ponemon and Symantec (News - Alert) this week released their annual 2013 Cost of Data Breach Study: Global Analysis, and it is interesting on two big fronts:

This is the eighth annual global report. It is based on the actual data breach experiences of 277 companies in nine countries including the United States, United Kingdom, France, Germany, Italy, India, Japan, Australia, and Brazil. Ponemon Institute (News - Alert), who crunches the numbers, notes that it does not include “mega data breaches” of more than 100,000 compromised records. This is because it would skew the results, and the picture painted is troubling enough without inclusion of the big breaches.

Highlights of the study

At a high level the two big areas noted above revealed the following findings:

While the details in the report are certainly worth reviewing, the following two charts tell the story.

Source (News - Alert): Ponemon Institute 2013 Cost of Data Breach Study: Global Analysis 

Source:  Ponemon Institute 2013 Cost of Data Breach Study: Global Analysis

In commenting on the findings, Larry Ponemon, chairman, Ponemon Institute stated, “While external attackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destructive and insidious…Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organizations today, up 22 percent since the first survey.”

In discussing another important finding detailed in the study about how companies that are better protected could demonstrate the value of that protection, Anil Chakravarthy, executive vice president of the Information Security Group, Symantec stated,  “Given organizations with strong security postures and incident response plans experienced breach costs 20 percent less than others, the importance of a well-coordinated, holistic approach is clear…Companies must protect their customers’ sensitive information no matter where it resides, be it on a PC, mobile device, corporate network or data center.”

Additional key findings included:

Symantec not surprising has some common sense suggestions regarding best practices to follow in order to prevent a data breach and reduce costs in the event of one:

  1. Educate employees and train them on how to handle confidential information
  2. Use data loss prevention technology to find sensitive data and protect it from leaving your organization
  3. Deploy encryption and strong authentication solutions
  4. Prepare an incident response plan including proper steps for customer notification

And, if you want to see where your organization stacks up in terms of its risk exposure Symantec lets you do a rough estimate if you visit Symantec’s Data Breach Risk Calculator. When you enter your organization’s size, industry, location and security practices the output is per record and an organizational estimate. These kinds of calculators can be useful or frightening depending on your results. However, like the study itself, it might be painful but it is good to know.

 




Edited by Jamie Epstein


Original Page