The 2011 Cost of Data Breach Study: United States produced by Symantec and the Ponemon Institute estimates that the average cost of an enterprise data breach was $5.5 million in 2011, down from $7.2 million in 2010.
The primary element for the cause of a breach of sensitive data was attributed to negligence by a corporate insider, according to the report.
The study also noted that breaches sustained as a result of a malicious attack were on average twenty-five percent more costly to the organization than those incurred due to other factors.
The study examined data collected from fourteen different industry sectors and included analysis of forty-nine separate data loss events. Companies that had established a chief information security officer position were able to reduce the financial impact of a breach by an average of thirty-five percent per compromised record compared to those that did not have an equivalent position.
“This year’s report shows that insiders continue to pose a serious threat to the security of their organizations. This is particularly true as the increasing adoption of tablets, smart phones and cloud applications in the workplace means that employees are able to access corporate information anywhere, at any time," said Symantec Francis deSouza.
"It is essential for companies to put the proper information protection policies and procedures in place to counterbalance these new realities,” deSouza continued.
The study looked at breaches within the range of 4,500 to 98,000 compromised records, and excluded data from what was described as "catastrophic breaches" - those with more than 100,000 exposed records.
Additional key findings from the report include:
- Negligent insiders and malicious attacks are the main causes of data breach. Thirty-nine percent of organizations say negligence was the root cause of the data breaches. For the first time, malicious or criminal attacks account for more than a third of the total breaches reported in this study. Since 2007, they also have been the most costly breaches. Accordingly, organizations need to focus on processes, policies and technologies that address threats from the malicious insider or hacker.
- Certain organizational factors reduce the overall cost. If the organization has a CISO with overall responsibility for enterprise data protection the average cost of a data breach can be reduced as much as $80 per compromised record. Outside consultants assisting with the breach response also can save as much as $41 per record. When considering the average number of records lost or stolen, all of these factors can provide significant and positive financial benefits.
- Specific attributes or factors of the data breach also can increase the overall cost. For example, in this year’s study organizations that had their first ever data breach spent on average $37 more per record. Those that responded and notified customers too quickly without a thorough assessment of the data breach also paid an average of $33 more per record. Data breaches caused by third parties or a lost or stolen device increased the cost by $26 and $22, respectively.
- Detection and escalation costs declined but notification costs increased. Detection and escalation costs declined from approximately $460,000 in 2010 to $433,000 in 2011. These costs refer to activities that enable a company to detect the breach and whether it occurred in storage or in motion.
- More customers remain loyal following the data breach. For the first time, fewer customers are abandoning companies that have a data breach. However, certain industries are more susceptible to customer churn, which causes their data breach costs to be higher than the average. Taking steps to keep customers loyal and repair any damage to reputation and brand can help reduce the cost of a data breach.
- The cost of data breach declined. For the first time in seven years, both the organizational cost of data breach and the cost per lost or stolen record have declined. The organizational cost has declined from $7.2 million to $5.5 million and the cost per record has declined from $214 to $194.
“One of the most interesting findings of the 2011 report was the correlation between an organization having a CISO on its executive team and reduced costs of a data breach. As organizations of all sizes battle an uptick in both internal and external threats, it makes sense that having the proper security leadership in place can help address these challenges,” said the Ponemon Institute's Dr. Larry Ponemon.