The average organizational cost for data breaches dropped 24 percent from 2010 to 2011, according to a new study by security firm Symantec and the Ponemon Institute, a research organization. The cost of data breaches declined because companies are getting better at managing the costs, such as detection and escalation.
Although notification costs have increased, customer loss following a breach has lessened, as customers are apparently getting used to data loss incidents. Additionally, more data loss prevention technologies are being employed and fewer records are being lost in individual breaches.
'Anywhere at Any Time'
The average per capita cost of a data breach is now $194, down from the last report's $214. Organizationally, costs for a data breach have declined from an average of $7.2 million to $5.5 million.
Other costs in a data breach include outside forensic experts, outsourcing hotline support, and providing free credit monitoring subscriptions or discounts for future products and services, to retain customer loyalty following a breach. There are also indirect costs, such as in-house investigations and communication.
These average costs did not include data from catastrophic breaches involving more than 100,000 records, since they are not typical in the U.S. The report looked at incidents ranging from 4,500 records to about 98,000 records, with the average being 28,349.
This seventh annual Ponemon Cost of Data Breach Study is based on actual data breach cases from 49 U.S. companies, representing 14 industries.
Malicious attacks are about 25 percent more costly than other kinds, but, the study said, organizations with a chief information security officer, or CISO, can reduce the cost of a data breach. A CISO with responsibility for data can help to reduce the average cost of a data breach by as much as $80 per record.
CISO 'Makes Sense'
Larry Ponemon, chairman and founder of the Ponemon Institute, told news media that this correlation between having a CISO and reducing data breach costs was "one of the most interesting findings" in the new report. He noted that it "makes sense that having the proper security leadership in place can help address these challenges."
Aside from employing a CISO, Symantec recommends that best practices should include educating employees on policy and holding them accountable, encrypting laptops, implementing two-factor authentication, and using an integrated security solution that includes proactive threat protection, firewalls and intrusion protection.
While malicious attacks cost the most, negligence is seen as the root cause of data breaches by 39 percent of the organizations surveyed. Malicious attacks are now more than a third of the total reported.
Francis deSouza, group president for Enterprise Products and Services at Symantec, said in a statement that the threat from insiders is heightened by the increasing use of devices, which allow employees "access to corporate information anywhere, at any time."
The Ponemon Institute conducts independent research, educational efforts, and the verification of data protection and privacy practices to advance "responsible information and privacy management practices in business and government."