Crime may not always pay, but the companies that experience data breaches certainly do.
According to a new study released Wednesday by Symantec and the Ponemon Institute, the cost of data breaches in 2012 reached a global average of $136 per record (U.S. dollars). But perhaps more important than the figure itself is the factors the report says businesses can do to drop – or increase – that cost.
The report, entitled ‘2013 Cost of Data Breach Study: Global Analysis’, focuses on the experiences of 277 companies in nine countries, including the United States, France and Germany. Of the nine countries, the U.S. and Germany were home to the most costly data breaches, with $188 and $199 respectively. Those countries also had the highest total cost per data breach – $5.4 million in the United States and $4.8 million in Germany.
Hidden within those totals are a number of factors that can cause those numbers to fluctuate. Rushed data breach notifications, lost or stolen devices and breaches caused by third-party errors all caused data breach costs to spike, explained Larry Ponemon, founder of the Ponemon Institute.
“Any time you add a third-party it becomes more complex just on the ability to get your arms around the issue,” he said, adding that third parties can create issues simply by not being as forthright about an incident as another organization may require or expect.
To reduce the cost of a third-party breach, organizations should consider liability coverage and indemnification as part of the third-party contract, he added. Also, there needs to be an incident response plan that is shared with the third-party so the other organization knows its role and responsibility. To help with this, there should be a senior member of the other organization involved in the incident response process, Ponemon said.
A solid incident response plan and strong leadership from a CISO reduce the cost of a data breach significantly, dropping it globally by an average $13 and $8 per record, respectively. Those drop-offs were particularly high in the U.S., where an incident response plan cut costs by $42 per record and the presence of a CISO dropped it by $23.
“Our research shows that CISO – or equivalent level title – leadership is a leading indicator of a centralized or “command and control” management of the IR [incident response] process, which appears to be more cost efficient than distributed leadership/management,” Ponemon said.
It may not be surprising then that companies that rush notifications tend to see increased cost. According to Ponemon, companies that over-report tend to anger more customers and increase churn, ultimately costing them business. The costs associated with notification range from the creation of contact databases to the determination of regulatory requirements. Overall, the cost of notification was highest in the U.S., coming in at roughly $565,000.
By and large, human and system errors were the main causes of the data breaches covered in the study. Taken together, they accounted for 64 percent of all the breaches globally. However, it is malicious attacks that tended to cost the most, coming in at $157 per record globally and $277 per record in the U.S.
Ultimately, employees are the best line of defense against data breaches, but preventing such incidents comes down to a mix of enforcement and policy education, said Linda Park, product marketing manager for data loss prevention at Symantec.
“As important as awareness and education training is, if you don’t enforce those policies and remind employees, you’re ultimately not going to be able to change their behavior,” she said.
Related: Everyone is a Security Manager