Let's begin with the good news: The cost of lost and stolen data actually declined in 2011 -- the first such decline in seven years, according to the 2011 Cost of Data Breach Study. Conducted by the Ponemon Institute, the annual Symantec-sponsored study was released today. The bad news: Companies that experience malicious attacks are more likely to incur a higher cost than those who fall victim to negligence.
Larry Ponemon, chairman and founder of the Ponemon Institute, stated that the study tracks several different expenses associated with data breaches. One of those expenses is the "organizational cost" -- the average cost that an organization absorbs in dealing with and remediating the impact from a data breach incident.
"That number last year was $7.2 million and this year it's approximately $5.4 million -- so that's a 24 percent decrease," Ponemon said.
The other data breach cost that Ponemon calculates is the "per compromised record" cost. In the 2010 study, that cost was $214 per data record. But in the 2011 study, that number has fallen to $194 per record.
The study uses an activity-based costing framework, with the largest chunk of total cost coming from a category called "lost business cost." That category includes items such as abnormal customer turnover, increased customer acquisition costs, reputation loses, and diminished goodwill. For 2011, the lost business cost was down by 34 percent over 2010.
"Fewer customers abandon companies after a data breach and we think that explains to a large extent why the total cost of a data breach went down so substantially," Ponemon said.
Negligence Is Most Common, But Attacks Cost More
Negligence is the most common root cause of data breaches, responsible for 39 percent of all incidents in the latest Ponemon study. But malicious attacks are close behind at 37%, and they are more costly: The average cost for a malicious attack is $222 per record, which is higher than the overall average of $194 dollars per record.
"What this means is that a company that experiences malicious attacks is more likely to incur a higher cost than if it was negligence," Ponemon said.
Ponemon also found that the detection and escalation costs related to data breaches have also fallen -- from $460,000 in 2010 to $433,000 in 2011. He noted that one of the reasons those costs have declined is that organizations have become more efficient.
"So their forensic investigative efforts are getting better and incident response plans have been tested and vetted to be working better," Ponemon said.
Organizational efficiency is also reflected in how often an organization experiences a data breach. Ponemon noted that the first time an organization experiences a data breach, it is usually more costly. Those organizations that suffer two or more data breaches typically see their costs fall as more experience is gained.
Faster Responses Incur Higher Costs
Surprisingly, the study also found that it's not necessarily a good idea to always quickly respond to a data breach.
"If you're too quick on the response you incur a higher cost," Ponemon said. "I think the reason is that companies that respond too quickly are not surgical in determining who is at risk."
As a result, organizations that are too quick to respond end up reporting to more people than they need too, which leads to a higher customer churn rate.
On the more favorable side, organization that have a CISO and use outside consultants to help deal with data breaches, tend to have lower costs.
"That's not to say the reason is because you have a great CISO," Ponemon said. "We believe the reason is that having a CISO indicates an organization has a stronger governance and control process in place."
When it comes to consultants, Ponemon said that using consultants is indicative of organizations that have more resources to deal with problems. While it's always good to have more resources, Ponemon suggest that data privacy overall needs to be integrated into the core business process of an organization.
When it comes to specific technologies, databases and SQL injection type attacks are often highlighted as being dangerous threats, though Ponemon noted that there are a lot of data breaches that affect unstructured non-database data as well.
"It does seem that data in unstructured formats is at a higher risk level," Ponemon said.
According to Ponemon, security professionals have been focused on protecting structured data for a long time. In contrast, unstructured data such as email records are often more difficult to manage.
Data Breach Volume: Going Up?
While the average cost of a data breach is coming down, that doesn't mean the total number of data breaches is falling as well. In fact, the opposite could be true -- but Ponemon does not track that metric.
"We don't actually measure the number of data breaches that occur," Ponemon said. "Our gut feel is that data breaches happen all the time."
Ponemon explained that not all organizations are mandated to disclose data breaches. He added that without having an external report of some kind, it is difficult to know for sure if the volume of data breaches has changed in a significant way.
Overall, Ponemon, said that he was really surprised that that the 2011 study found that the cost of data breaches went down, though he's not sure if it's a trend that will continue.
"It might be an indicator of a trend or it might be a one year anomaly," Ponemon said. "It's impossible for me to predict, but my gut tells me that it's going to be costly no matter what, even with the decline."