Malicious or criminal attacks on data are on the rise--and so are their costs. Those are some of the findings of the 2010 US Cost of a Data Breach study from the Ponemon Institute.
The benchmark study looked at the experiences of 51 US companies in 15 industry sectors; it's the sixth annual such survey done by Ponemon.
According to Ponemon, for the first time, malicious or criminal attacks are the most expensive cause of data breaches. Some 31 percent of all cases involved such an incident, up 7 points from 2009 after having doubled the year before.
Cost per compromised record of this type of data breach averaged $318, up $103 from 2009, the highest of any type of data breach.
In addition, data breaches generally continue to cost companies more every year. The average cost rose to $7.2 million, up 7 percent from 2009. Cost per compromised record was an average of $214, up 5 percent. The most expensive cost $35.3 million to resolve.
At the same time, organizations have stepped up their response to data breaches. For example, 45 percent of companies had a CISO managing breaches, up 5 points from 2009.
Forty-three percent notified victims within one month of discovering the breach, up from 36 percent in 2009.
While that last part sounds like good news, it also looks like rapid response to data breaches has a downside. Quick responders paid a lot more than slow movers per record.
They had a per-record cost of $268, a 22 percent increase, while other companies, a drop of 11 percent.
As for preventive measures, researchers suggest companies take a few steps:
- Adopt a multi-pronged approach, not piecemeal solutions. That includes coming up with an overall strategy aimed at protecting data wherever it is (including mobile devices).
- Start using automated data protection measures, like encryption, and make sure it's used for portable devices.
- Evaluate the security procedures of third parties before sharing confidential or sensitive information.
Data breaches are too costly, both to the bottom line and reputation, not to take such steps seriously.
Cross-posted from CIO Zone