Human and System Errors Lead to Data Breaches

By Samuel Greengard

Data breaches have become a huge concern for businesses of all sizes and from all industry sectors. A growing number of organizations must cope with the hassles and expense of ongoing cyber-attacks.

A recent study conducted by Ponemon Institute and Symantec found that an overwhelming majority of these incidents are caused by human and system errors. The report, “2013 Cost of Data Breach Study: Global Analysis,” surveyed 277 firms in nine countries and found that two-thirds of breaches in 2012 were a direct result of these two factors.

Moreover, the global average cost per record hit $136, though the United States tipped above $275. This translated into an average cost per incident of more than $5.4 million. The study also found that the indirect costs associated with an incident—including customer churn and loss of goodwill—ranges from a low of 41 percent in Brazil to a high of 68 percent in the U.S.

A number of factors contributed to these breakdowns: employee mishandling of confidential data, lack of system controls, and violations of industry and government regulations. But the problems don’t stop there. According to the report, heavily regulated fields such as health care, finance and pharmaceutical incurred breach costs 70 percent higher than other industries.

“While external attackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destructive and insidious,” noted Larry Ponemon, chairman of the Ponemon Institute. During the eight years the organizations have conducted the study, the role of employee behavior has increased by 22 percent. Overall, 37 percent of incidents were a result of malicious or criminal intent, 35 percent were due to human factors and 29 percent were caused by a system glitch.

A number of key factors directly affect the cost of a data breach. These include: whether an organization has a data breach incident management plan in place at the time of the data breach; whether the firm has a chief information security officer (CISO) overseeing protection issues; whether a third party—typically a business partner—was involved with the breach; how rapidly the organization responds to a breach and notifies victims; and whether the incident involves lost or stolen mobile devices that contain sensitive data, including laptops, tablets and smartphones.

Symantec recommends that, among other things, employers educate employees and train them on how to handle confidential information; deploy data loss prevention technology, as well as encryption and authentication solutions; and prepare an incident response plan including proper steps for customer notification.

There’s no silver bullet, but proactive organizations can minimize their risk. “Given that organizations with strong security postures and incident response plans experienced breach costs 20 percent less than others, the importance of a well-coordinated, holistic approach is clear,” said Anil Chakravarthy, executive vice president of the Information Security Group, Symantec. “Companies must protect their customers’ sensitive information no matter where it resides, be it on a PC, mobile device, corporate network or data center.”