The study, which was sponsored by PGP, surveyed 43 organizations across 17 different sectors and evaluated the financial consequences of data breaches involving consumers’ personal information.
The study also tracked an assortment of cost factors, including outlays for network security systems, legal expenses, customer defection and reputation management, as well as costs associated with customer support services such as information hotlines and credit monitoring subscriptions.
Data breach incidents cost U.S. companies US$202 per compromised customer record last year, compared with $197 in 2007, according to the study. The average total per-incident cost rose to $6.65 million in 2008, up 5.3 percent from $6.3 million in 2007.
Healthcare and financial services companies experienced the highest customer churn rates — 6.5 percent and 5.5 percent, respectively.
Third-party organizations accounted for more than 44 percent of all data breaches in 2008, and the resulting investigation and consulting fees made these the most costly form of data breaches.
Nearly 90 percent of all cases in the 2008 study involved insider negligence.
While hack attacks on prominent companies such as Microsoft or on government IT systems garner the big headlines, outsiders are not behind most data breaches.
“There are all sorts of problems associated with internal breaches, but the actions of well-meaning insiders are the biggest problem,” Kevin Rowney, founder of Symantec’s data-loss prevention division, told the E-Commerce Times.
For example, an employee who takes home a laptop loaded with sensitive customer information with the intent of working over the weekend can cause serious security issues.
“Maybe they leave the laptop in their car while they’re on a Friday night date and then come back to find it gone,” Rowney said. “That’s a costly employee mistake.”
Partners Pose a Risk
Third parties such as consultants and partners who have access to sensitive personal information about employees or customers also pose a significant risk, Larry Ponemon, chairman of the Ponemon Institute, told the E-Commerce Times.
In today’s business world, organizations large and small use outside accounting firms, marketing firms, public relations firms and IT consultants to help them achieve their goals.
The more people with access to a corporate network, the higher the probability of a data breach, Ponemon said.
Some Companies Still Don’t Get It
Another issue facing large organizations is the apparent lack of urgency following an event.
“There’s still a problem with the way management responds to these things,” noted Ponemon. “Many organizations simply don’t respond to their customers’ concerns because they’re so focused on the breach itself.”
Many of the security problems companies face are preventable — but most organizations don’t have the right software tools and security policies in place to deal with data breaches, he observed.
“It’s a combination of software and risk management,” explained Ponemon. “Good technology, like encryption, data-loss prevention tools and data-access tools, can help — but they’re not the complete answer, because so many of these incidents are due to negligence and carelessness.”
With more and more employees accessing corporate networks via laptops, smartphones and the like, it’s imperative that companies put policies in place that govern the way those points of access are used, he said.
Execs and Security Teams
“Any kind of successful risk management approach has to start with a rough consensus between the executives and security team,” Symantec’s Rowney said. “Once you’ve got that trust built, there are a variety of control measures you can put in place, some brand new and some traditional, that can tell how data is being used and abused — where the data is and where it’s stored.”
One of the primary causes of data breaches is that many companies don’t even know where on the network sensitive data is held, he said.
What happens is that well-meaning employees tap into that data and copy it or work with it in unauthorized areas of their corporate networks, Rowney continued. “Other employees find it and then breach it, or hackers find it and breach it.”