The costs faced by UK organisations that suffer data breaches continued rising in 2012 and now exceed £2 million ($3 million) per incident, a study of real-world incidents has found.
Symantec’s 2013 Cost of Data Breach Study (carried out by the Ponemon Institute) found that the average cost per compromised record has reached £86, up from £79 in 2011 and sharply up on the £47 recorded by the firm in 2007, the first year it looked into the issue.
This means that the average incident now costs £2.04 million each, up from £1.75 million a year earlier. The 38 reported incidents included in the study ranged in size from 3,500 records breached to just over 70,000 records, with the average incident size being 23,000.
The costs measured included obvious aspects such as detection, notification, and after-support, but also lower subsequent turnover and customer churn. In 2012, £43 of the total £86 per compromised record was related to the latter, indirect costs.
The figures weren’t guesstimates but were based on interviews with 300 individuals at the affected organisations, Symantec emphasised.
Breaking down the numbers further, some interesting patterns emerge.
Some industries have higher breach costs than others, with financial services near the top of the cost-per-record graph at £119 per record and media and industry on the lowest run with around £53 per record.
The public sector cost was nearer the bottom than the top with an average charge of £69 per record.
This is what one might expect; the value and monetary consequences of a compromised financial services customer record is clearly different than that of a media company not least because the latter sectors suffer lower customer churn as a result.
The top cause of data breaches was negligence, which accounted for 37 percent of cases, ahead of system glitches (technical errors) on 29 percent and the most serious category of all, criminal activity, on 34 percent.
The issue of criminal involvement is worth commenting on because it skews all costs. The average cost per record of negligence and human error was £76 against the £102 associated with a malevolent attack.
“With more than a third of UK data breaches involving negligent employees or contractors the human factor is still the weakest link, and so training and awareness should be a priority from the offset,” said Symantec’s product and solutions manager, Mike Smart.
“But here in the UK it seems that malicious attacks are becoming nearly as big a problem. Not only have more data breaches been down to malicious attacks, but when it does happen, it’s far more costly.”
Encouragingly, having an incident response plan in place to cope with breaches affected the final reckoning, reducing the cost per record by an average of £13.
Other positive influences included having a CISO in place (- £9), quick notification (-£2) and having a strong security posture (- £13).
Conversely, negatives that acted to increase costs included that the incident was caused by a third party such as a partner (which added £17 per record) and that the records were breached from a laptop or storage device (+ £10).
A common response to a breach incident was a greater use of technologies such as encryption, chosen by 38 percent of affected organisatons.
A factor this real-world analysis didn't look at was the effect of the time it takes for breaches to be discovered. A recent report by Trustwave found that the average discovery time in 450 breaches it studied was 210 days.