|
By Michael Eggebrecht
The percentage of data breaches caused by malicious attacks doubled last year at U.S. companies, according to a study from the Ponemon Institute. In 2008, 12 percent of breaches involved cyber criminals; in 2009, that rose to 24 percent, says the research firm.
The leading cause of data breaches -- at 40 percent -- was negligence, according to Ponemon, with systems glitches accounting for the remaining 36 percent. But the study says that criminal attacks cost companies the most, racking up $215 per compromised record, compared to $154 for negligent insiders and $166 for glitches.
The average organizational cost of a data breach increased from $6.65 million an incident in 2008 to $6.75 million last year, though the cost per comprised record increased only $2, from $202 to $204. Not surprisingly, companies with chief information security officers did better from an expense perspective. Enterprises with CISOs saw per-record costs of $157; those without saw that number climb to $236.
Ponemon analyzed breaches at 45 U.S. businesses across 15 industries for the annual study, which was sponsored by enterprise data vendor PGP Corp. and was issued today. In the breaches examined, the number of exposed records ranged from 5,000 to 101,000. The most expensive incident cost the company in question about $31 million to resolve; the least expensive was $750,000.
“In the five years we have conducted this study, we have continued to see an increase in the cost to businesses for suffering a data breach,” said Larry Ponemon, chairman of the Ponemon Institute, in a statement. “With a variety of threat vectors to contend with, companies must proactively implement policies and technologies that mitigate the risk of facing a costly breach.”
What kind of actions are companies taking to prevent future breaches? According to the study, 67 percent of the respondents said they have turned to training and awareness programs, with 58 percent implementing additional manual procedures and controls. Other approaches include expanded use of encryption (58 percent), identity and access management systems (49 percent), data loss prevention systems (42 percent) and endpoint security systems (36 percent).
The Ponemon Institute also found that when it comes to notifying victims, it doesn’t necessarily pay off to do it quickly. Of those organizations that told victims about an attack within one month, 36 percent ended up paying more than companies that took their time -- $219 per record, compared to $196. “Moving too quickly through the data breach process -- especially during the detection, escalation and notification phases -- may cause inefficiencies that raise total costs,” says the study.
Forty-two percent of the breaches involved data outsourced to third parties, down from 44 percent last year. And 36 percent of the incidents involved lost or stolen laptops or mobile devices.
Only registered users can write comments.
Please login or register. |
