Symantec Corp. and Ponemon Institute have revealed that the average cost of a data breach has risen for the fifth consecutive year. The 2011 Annual Study: UK Cost of a Data Breach found that the average cost per capita of a data breach rose to 79 per record, up from 71 in 2010 and 68 percent higher than 47 in 2007. Notably, negligent employees or contractors pose the biggest risk to organisations, responsible for over a third (36 percent) of all data breaches.
Despite a rise in cost per record, the report also disclosed that the actual organisational cost of a breach has, in fact, declined from 1.9 million in 2010 to 1.75 million in 2011, suggesting that businesses have improved performance in both preparing and responding to data breaches. Data breaches cost companies an average of 79 per compromised record of which 37 pertains to indirect costs such as lost business, reputational damage or churn of existing customers.
Mike Jones, Senior Product Marketing Manager, Symantec commented: "We're noticing that companies at risk of data loss are becoming wise to the financial impact of a data breach. These businesses are implementing steps not just to prevent loss but to mitigate the damage, should a breach occur. It's not just direct costs such as fines from The Information Commissioner's Office (ICO) that need to be considered, although these help to drive the business case for preventative measures, but also indirect costs such as brand impact and disappointed customers leaving the brand.
While Ponemon Institute takes into consideration the costs of the actual data loss related to records, in recent years there has also been an increased consciousness amongst businesses that valuable intellectual property and private communications can present a great source of risk to a company's financial stability.
In addition, the report shows a large proportion of data breaches are actually caused by individual negligence. Businesses need to show that they are aware of this and be seen to react in an appropriate way. They need to take protective measures to proactively monitor the level of control and the access to company data that they give to individual employees and prevent accidental or purposeful misuse."
The report indicates that fewer records are being lost in breaches and businesses that do suffer data loss are less likely to be abandoned by customers, with the average abnormal churn decreasing from 3.3 percent in 2010 to 2.9 percent. Yet, certain industries, such as financial services or pharmaceutical companies, remain more susceptible to customer churn, causing the cost of their data breaches to be higher than the average.
Jones concluded: "We've shifted to an age where data breaches are now just a common occurrence. As such, UK consumers have become somewhat desensitised to data losses, but that doesn't mean that businesses should become complacent. The cost of data loss still remains high and, in tighter economic times, even a single digit increase in customer churn can be terminal to profitability.
"Indirect costs represent 47 percent of total per capita cost so organisations need to be cautious of this. By taking steps to keep customers loyal, and repair any damage to reputation and brand through quick reactions and taking the appropriate action, businesses can help to reduce the cost of a data breach. It's interesting that spend on public relations and communications costs have steadily risen since 2007, increasing by 5 percent."
Malicious or criminal attacks have increased slightly from 29 percent to 31 percent and are the most costly for organisations. Accordingly, organisations need to focus on policies, processes and technologies that address threats from the malicious insider or hacker. Likewise, certain organisational factors can reduce overall costs. The report showed that for those organisations with a CISO that has overall responsibility for enterprise data protection, the average cost of a data breach can be reduced as much has 18 per compromised record.
Companies can analyse their own risk by visiting Symantec's Data Breach Risk Calculator. Based on six years of trend data, the calculator takes into account an organisation's size, industry, location and security practices to estimate how much a data breach would cost on both a per record and organisational basis.