Average Data Breach Costs Companies US$5 Million

Study reveals that stolen hardware is the main culprit for data loss
Companies spent nearly US$5 million on average, and 30 percent more, this year than in 2005, to recover when corporate data was lost or stolen, according to a new study from the Poneman Institute.
The Ponemon Institute's 2006 Cost of Data Breach Study, which was completed in September, shows that the main culprit for data loss in 49 percent of the cases is a lost or stolen laptop, desktop, PDA or thumb drive. The study looked at 31 companies that have experienced a data breach in the past year.
There have been 254 data-breach incidents this year alone, according to the Privacyrights.org Web site. The study also concluded that companies spend US$180,000 after each incident to prevent further data breaches.
In addition, the average cost for each compromised record was up by more than 30 percent over last year, rising from US$138 to US$182. The average total recovery cost was US$140 per lost customer record. According to the study, the increase was fueled by three factors: phone calls for customer notification, free or discounted services and an increase in customer turnover.
Observers note that those costs have nothing to do with IT and suggest that companies need to look across a broader spectrum when factoring costs.
"By not connecting the dots, companies are not seeing the true costs and, therefore, the true value of preventative measures," says Andrew Krcik, vice president of marketing for PGP, one of the sponsors of the survey with Vontu. "He says many companies lack a holistic approach to figuring out costs. "They should be looking at what it costs the company instead of looking at what it costs a particular group, especially IT."
The Poneman Institute is an independent research company focused on issues affecting the implementation of responsible information practices within business and government. The study computed the costs by taking into account such expenses as outlays for detection, escalation, notification and after-the-fact response. The study also took into account direct expenses such as outsourced hot-line support, free credit-monitoring subscriptions, and discounts for future products and services. Indirect costs included in-house investigation and communication, as well as customer turnover.
One interesting finding was that the data theft because of malicious activity by employees accounted for only 6 percent of data breaches. Corporate insiders have long been tagged as major threats when it comes to stolen corporate data.
After stolen laptops, desktops, PDAs or thumb drives, the most common method of data loss was lost or stolen files acquired or used by third parties or outsourcers, put at 29 percent. Lost or stolen electronic backup such as magnetic tapes accounted for 26 percent, and lost or stolen paper records and files accounted for 13 percent of data breaches.
The rest of the list included hacked electronic systems, at 10 percent; malicious insiders, at 6 percent; malicious code, such as malware, spyware or crimeware, at 6 percent; and misplaced network or enterprise storage devices (as a result of a natural disaster, such as a major hurricane), at 3 percent. Of the companies responding to the survey, 6 percent did not disclose how their data breaches occurred.
The study also found that in 32 percent of the data breaches, the CIO or CTO managed the event and the implementation of prevention measures. In 19 percent of the cases, the CISO or CSO dealt with the incident; and a division president or general manager handled the chores in 16 percent of the cases, with a chief privacy officer the leader 6 percent of the time and a compliance officer in 3 percent of the cases. In 29 percent of the cases, respondents reported that more than one person had overall responsibility.
After the breach the top preventive measure taken was the deployment of additional manual procedures and controls 42 percent of the time, training and awareness programs 29 percent, encryption over data in motion 23 percent, encryption over data at rest 16 percent, information leak detection and prevention systems 13 percent, security event management systems 10 percent, additional perimeter controls 10 percent, identity- and access-management systems 6 percent, independent security audits 6 percent, no new procedures or systems 6 percent and encryption over data backups 3 percent. Results add up to more than 100 percent, because respondents could answer in a variety of categories.
John Fontana (Network World) on 03 November, 2006