When it comes to data breaches, hackers and organized crime garner most of the headlines, but most data breaches are caused by human errors and system glitches--application failures, inadvertent data dumps, logic errors in data transfer and more. As a result, educating your employees and making sure they're not cutting corners is a big component in preventing data breaches.
In fact, according to a new study by Symantec and the Ponemon Institute, 64 percent of data breaches in 2012 were the result of human mistakes and system problems.
"While external attackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destructive and insidious," says Larry Ponemon, chairman and founder of security research think tank the Ponemon Institute. "Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organizations today, up 22 percent since the first survey."
Education Is Key to Reducing Data Breaches
"The key to reducing data breaches for the vast majority of reasons is really to educate employees," says Robert Hamilton, director of product marketing at Symantec. "You can do it in two ways: through general awareness security training and by deploying technology like data loss prevention technology. We actually classify that as employee education, but you're doing it in real time. It's not blocking data from moving somewhere, it's actually educating the employees."
Implementing a strong security posture and incident response plan, as well as appointing a chief information security officer (CISO), also reduces the costs of data breaches by about 20 percent.
"Given organizations with strong security postures and incident response plans experienced breach costs 20 percent less than others, the importance of a well-coordinated, holistic approach is clear," says Anil Chakravarthy, executive vice president of the Information Security Group at Symantec. "Companies must protect their customers' sensitive information no matter where it resides, be it on a PC, mobile device, corporate network or data center."
The Cost of Data Breaches on the Rise
The cost of those data breaches is on the rise. The Symantec-Ponemon study found that the global average cost of a data breach rose from $130 per compromised record in 2011 to $136 per compromised record in 2012.
The Ponemon Institute has conducted this benchmark study for eight years using the activity-based costing model developed by Harvard University Professor Robert S. Kaplan. Ponemon says the model starts with the detection or study of a data breach incident and takes into account forensic and investigative activities, incident response, notification, legal, consulting, outbound communication and call center activities, activities to maintain customer confidence and trust, direct churn, secondary churn and increased customer acquisition costs.
The study investigated 277 organizations with actual data breach experiences in nine countries and across 16 industry sectors. It included 1,400 interviews with individuals responsible for IT, compliance and information security with knowledge of data breach costs.
"This study is not a survey," Ponemon explains. "It's field-based research. We captured both direct and indirect costs. However, the indirect costs do not include opportunity costs; they're costs that can be measured. We tried to take a relatively conservative position."
"The scale of this is just enormous," he adds. "It took us about nine and a half months of field work to capture the data."
Ponemon noted the study did not include any catastrophic data breaches, as they skew the results. Instead it focused on data breaches that ranged from 1,000 to 100,000 records.
Cost of Data Breaches Highest in Germany, Followed by U.S.
Data breaches in the U.S. and Germany are the most costly: The average cost per compromised record in the U.S. was $188 in 2012 (down from $194 in 2011), while the average cost per record in Germany rose to $199 (up from $191 in 2011). The U.S. and Germany also had the highest total cost per data breach, at $5.4 million and $4.8 million, respectively.
Companies in Brazil were the most likely to suffer a data breach due to human error, while companies in India were most likely to have a data breach caused by a system glitch or business process failure. Brazil and India also had the lowest cost per compromised record, at $58 and $42, respectively. Ponemon notes that companies in countries with more established consumer protection laws and regulations to strengthen data privacy and cyber security tend to pay a higher cost for compromised records. For instance, breaches in heavily regulated industries, including healthcare, finance and pharmaceutical incurred breach costs 70 percent higher than breaches in other industries.
Malicious Attacks Still the Most Costly Data Breaches
While malicious attacks account for only 37 percent of data breaches, they by far the most expensive data breach incidents, with a global average cost of $157 per compromised record. Each data breach caused by a malicious or criminal attacker cost U.S. companies an average of $277 per compromised record and German companies $214 per compromised record. Brazilian and Indian companies, on the other hand, had the least costly malicious data breaches, with an average cost per compromised record of $71 and $46, respectively.
"Malicious attacks are more costly, by a significant factor, in the U.S.," Hamilton says. "Typically, when you discover that you've been attacked, you throw a lot more resources at a problem. The surprise factor and the panic factor can account for the higher cost for a malicious attack."
Factors That Affect the Cost of Data Breaches
That, Hamilton says, is why companies with a CISO and incident response plan in place tend to experience lower costs from data breach incidents: companies that are prepared don't waste as much time and resources responding to an incident. In fact, the study found that three factors increase the cost per record of data breaches:
Third-party error (+$19)
Lost or stolen devices (+$8)
Rapid notification (+$7)
On the other hand, the study found that four factors decrease the cost per record of data breaches:
A strong security posture (-$15)
An incident response plan (-$13)
Appointment of a CISO (-$8)
Engagement of data breach remediation consultants (-$5)
Symantec outlined four best practices that companies can adopt to avoid the major causes of data breaches:
Educate employees and train them on how to handle confidential information.
Use data loss prevention technology to find sensitive data and protect it from leaving your organization.
Deploy encryption and strong authentication solutions.
Prepare an incident response plan including proper steps for customer notification.
Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Thor at [email protected]