Security Lapses More Costly

The cost of data breaches increased from 2008 to 2009, with no signs of abating. And the bad guys are getting badder.

Alarmed by reports of cyber-attacks on Google and dozens of other U.S. companies? You should be.  

“If it could happen to Google, it could happen to anyone,” cautions Phillip Dunkelberger, CEO of PGP. “People were starting to get comfortable with data breaches, but this incident shed a light on the fact that breaches have gone beyond thefts of credit card numbers to sophisticated attacks on companies and their intellectual property.”

According to the Ponemon Institute’s 2009 study, “U.S. Cost of a Data Breach,” the average cost of a security lapse increased almost 2 percent, from to $6.65 million per organization in 2008 to $6.75 million in 2009. Even more disturbing: “data breaches from malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than those caused by human negligence or IT system glitches. The incidence of malicious attacks rose from 12 percent to 24 percent.”

“This is a warning sign of some big problems heading our way,” says Larry Ponemon, chairman and founder of the institute. “For the first time, organizations that took part in our study reported that their breaches were caused by data-stealing malware. Organized crime is going after corporate data, including intellectual property, and these are the most expensive breaches. Companies need to take a proactive stance against these aggressive criminals.”

Are companies learning from their mistakes? Not necessarily. In the data breach study, 82 percent of the cases “involved organizations that had more than one data breach involving the loss or theft of more than 1,000 records containing personal information.”

The increasing use of mobile devices by employees is also causing security problems, with 36 percent of the cases in the study involving laptop computers or other mobile data devices. “The human factor continues to play a big role in data breaches,” Ponemon notes. “Unfortunately, a lot of companies still downplay the cost of a data breach.”

The main factor driving up the indirect costs of data breaches, according to the study participants, is lost business. The “churn rate” (loss of customers) hit the pharmaceuticals, communications and health care industries the hardest, at 6 percent. But they were closely followed by financial services and services, at 5 percent each. Industries with the lowest churn rates are manufacturing, energy and media (all three at or below 1 percent), followed by technology and retail (both at 2 percent).

Interestingly, third-party mistakes were involved in 42 percent of all the data breach cases in the 2009 study, which noted that “data breaches involving outsourced data to third parties, especially when the third party is offshore, were most costly. This could be due to additional investigation and consulting fees.”

“It’s more costly to do forensics properly offshore,” Ponemon explains.

“A company needs to be sure its service-level agreement states how the outsourcing provider will notify affected parties of a data breach and how it will fix the breach,” adds PGP’s Dunkelberger. “In some countries, there is no national disclosure law, so it’s a case of buyer beware. That’s why the SLA is so critical, especially when intellectual property is concerned.”

Another way organizations can protect themselves against data breaches is with good governance, says Ponemon. “Companies need strong internal controls, rigorous security policies, and technologies like encryption and data loss prevention,” he adds. “It’s a case of smart people and smart technology.”