The Ponemon Institute just released its ninth annual “Cost of Data Breach Study.” According to the research, the average total cost of a data breach for the companies participating in the study increased 15 percent to $3.5 million. The average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9 percent from $136 in 2013 to $145 in this year’s study.
Numbers for the US were higher as the average cost increased from $188 to $201 per record between 2012 and 2013. The study found that the average number of breached records was a little more than 29,000 with average total costs being $5.85 million. That’s a very expensive proposition.
The consequences of very large data breaches, like Target, can be more than just monetary. Last year hackers stole credit card, debit card and personal information of over 100 million customers. On May 5, 2014, CEO Gregg Steinhafel resigned or was fired because of the fallout of Target’s security inadequacies. The company’s reputation and profits have suffered causing the board to take action. This is the first time the head of a major corporation lost his job because of computer security issues.
The 3 main causes of data breaches according to the Ponemon Institute report are malicious or criminal attack, system glitches and human error. A negligent employee or contractor could be the cause of anywhere between 20 and 40 percent of all data breaches, depending on the country or industry surveyed. That indicates that both training and better technology may be able to reduce data breaches.
The report indicated the maintaining a strong security posture results in the greatest decrease in the cost of data breach. A company’s security posture deals with an overall security plan and typically encompasses processes, policies, software and systems that reduce the organization’s risk level. Stronger postures help lower the cost of a data breach.
Organizations that deploy encryption extensively throughout the enterprise as opposed to limiting its use to a specific purpose are more aware of threats to sensitive and confidential information and spend more on IT security. Encrypting and limiting access to data and files is the only way to really protect yourself from both malicious and unintentional data leaks. By encrypting files at the point of creation, a company ensures protection of intellectual property and sensitive customer information immediately. This eliminates human error since all data is protected automatically.
Mature security programs include incident response and business continuity plans in addition to appropriate technology. Just as its prudent to plan for a natural disaster, so you can mitigate business disruption, you need to think the same way about your data. You can mitigate business disruption by encrypting your data and controlling its access through security policies. That’s the best way to reduce the cost of a data breach.
Photo credit Carissa Rogers