Data security is a vexing problem for companies, with threats coming from all directions. But it appears many are finally learning to mitigate these threats. In fact, the average cost of data breach has actually declined, a just-released report from the Ponemon Institute and Symantec reveals.
For the first time in seven years, both the organizational cost of data breach and the cost per lost or stolen record have declined. The study, which examined 49 data breach cases with a range of nearly 4,500 to 98,000 affected records, found the average cost per affected record declined from $214 to $194. The organizational cost declined from $7.2 million to $5.5 million.
Still, this is no time to sit back and celebrate.
There is a huge Achille's Heel in data security, and that is insiders with privileged -- and often unmonitored -- access. The greatest data security vulnerability is slackers, not hackers, the survey finds. Thirty-nine percent of companies said insider negligence was the root cause of the data breaches. Most breaches occur because of employee mistakes and lax operating procedures. As companies grow, many fail to put training and protocols in place to safeguard data. Others delegate data protection to the IT department, which does little to protect against human error, the Ponemon report claims.
These results align with a study I helped author on the subject, conducted as part of my work with Unisphere Research, a division of Information Today, Inc., and sponsored by Application Security Inc. The survey polled 524 enterprise IT and data managers, and the results reveal that the greatest challenge to database security may actually come from organizational issues, rather than nefarious or accidental acts. Six out of ten respondents blame "human error" for their data security breaches, and 45% blame fraud and abuse by insiders, such as employees or contractors. IT may be hamstrung by lack of management urgency or support.
The Ponemon-Symantec study points to the impact of lax management and policies. Frequent lapses in data security include lost or stolen laptops, flash drives, and mobile devices. Employees are negligent in their behaviors and fail to password protect, encrypt and/or delete data from their devices. In addition, mis-mailing of information to the wrong recipient also is a problem. Whether via email or mail, sending information to the wrong recipient is a leader in identity theft and data breach cases. Employee theft or loss of physical documents, back-up tapes, and data is also a problem. Many employees take their computers/mobile devices off-site where they a) loose them and b) work in unprotected settings and faulty networks.
My colleague Heather Clancy just posted details of an identity-theft scam involving the filing of fraudulent IRS returns with stolen Social Security numbers. It's likely these numbers were lifted by insiders within businesses and doctors' offices.
There is some good news, as noted above. The cost per incident has actually gone down a bit for companies, which Ponemon credits to increasing vigilance among some companies. For example, companies with a dedicated security executive tend to reduce the average cost of a data breach as much as $80 per compromised record.
Still, data breaches are costly for most companies. For example, organizations that had their first ever data breach spent on average $37 more per record. Those that responded and notified customers too quickly without a thorough assessment of the data breach also paid an average of $33 more per record. Data breaches caused by third parties or a lost or stolen device increased the cost by $26 and $22, respectively.
The best approaches? Auditing data log files is fine, but only catches incidents after the fact -- sometimes long after the fact. Data encryption and masking will help prevent unauthorized viewing of files. Also, as noted above, when management gets on board, and education is provided, the problem can be controlled.
Ponemon's U.S. Cost of a Data Breach Study took into account direct business costs, including engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. Indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished acquisition rates.
(Photo by Joe McKendrick.)