Average cost of a breach is £47 per lost record

By Ron Condon, UK bureau chief 25 Feb 2008 | SearchSecurity.co.uk

Digg This!     StumbleUpon     Del.icio.us

The conclusions come in a report from the US-based Ponemon Institute which has carried out similar surveys in the US for the last four years. The new report is based on information provided by 21 UK companies that had suffered security breaches in 2007 – 11 of them in financial services, four in retail and the others spread across a range of sectors.

The severity of the losses ranged from 2,500 records to 125,000, and the estimated cost of recovering from the loss, including lost business, ranged from £85,000 to £3.8 million.

The survey found that, on average, 36% of the cost of a breach resulted from a loss of business – in other words, customers taking their business elsewhere. But the effect on customers was patchy across industry sectors. On average, churn rates rose by 2.5% after a breach, and while some companies reported virtually no effect at all, the most seriously affected saw customer churn rise by 7%.

The biggest effects were felt in financial services, where customer trust was most important. This meant that while the average cost of a breach was £47 per record compromised, it was £55 in financial services. The average cost for retailers was £51.

The £47 average cost per record consisted of £15 for detection and escalation; £15 for post-breach measures; and £17 on lost business and increased cost of customer acquisition. Just £1 per record was spent on notifying those involved, which tends to imply that companies did not always notify those affected.

US data breach costs twice as high as UK

As the report comments, a more formal notification regime, as already exists in the US where disclosure is mandatory in most States, would push up the costs. According to Ponemon, the average cost of a data breach in the US is $197 – more than twice the UK cost.

Larry Ponemon, chairman of the Ponemon Institute, said that his US research showed a higher level of customer churn than in the UK, and that abnormal churn in the US could reach more than 8%. He also noted that UK companies tended to devote a higher level of resources to detecting and understanding the causes of any breach. "That may have been influenced by the high proportion of financial services companies in our sample," he admitted.

Although organisations spend much effort and money on warding off hackers, malicious code and malicious insiders, the figures show that carelessness and incompetence are much more significant factors. For instance, 36% of breaches resulted from laptops and other mobile devices going missing or being stolen. The second most significant cause (at 24%) was the loss of paper records.

By contrast, hackers, malicious insiders and malware accounted for just 12% of all incidents.

The research also discovered that while 36% of breaches resulted from lost or stolen laptops and other mobile devices, 38% of breaches were caused by third parties – such as consultants, business partners and outsourcing companies – losing their clients' information.

Losses by third-parties also tended to be more expensive to fix, averaging £59 per record compromised, compared with £42 for breaches that happened within a company.

Guy Bunker, chief scientist for Symantec Corporation, said that despite the low sample size of the survey, he thought it painted an accurate picture. He said that US companies had been forced to take the problem more seriously because they faced the prospect of mandatory disclosure. "Companies in the UK don't really have much of a handle on where data is held, either on laptops or servers," he said. "It's the unstructured data that gets sent around the organisation, and gets stored on laptops, that you need to be able to identify."

He said many of the problems identified in the report could be solved by tightening up processes, such as ensuring the shredding of confidential documents, or the destruction of CD-ROMs when they were no longer needed. ,

The cost of prevention, he said, was far less than the cost of handling a breach. "My gut feeling is that the solution would be about 10% of the cost of the loss. When you look at the most serious loss, £3.8 million, you could get a lot of data loss prevention for 10% of that," he said.

The full report, which was sponsored by PGP and Symantec, is entitled '2007 Annual Study: UK Cost of a Data Breach', and can be downloaded at here.

Tags: Data Protection Solutions and Strategy,  Security Policies and User Awareness,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions and Strategy First of data loss prevention vendors touts downloadable DLP software Ministry of Justice asks for input on UK privacy laws PCI PTS: Understanding PCI PIN security requirements IBM to acquire BigFix for configuration, vulnerability management Survey: SMB security increasing for better cybercrime protection PCI call centre: Understanding PCI DSS call recording requirements NuBridges update enables simultaneous data center tokenisation Prevent data leakage with secure media reuse policies PCI-compliant POS: Retail chain nears PCI compliance in the UK Data security in financial services, IT security jobs in UK on the rise Security Policies and User Awareness Risk management in information technology Prevent data leakage with secure media reuse policies Information security awareness lacking in laptop users, according to study Kent company offers 'low-tech' hard disk destruction product Survey: Compliance efforts drive security, but may not produce results Using resource allocation management to prevent DoS and other attacks Cloud-based services require stalwart business continuity plans Preventing phishing attacks: Enterprise best practices CISOs take measured steps to reduce social media risks Increasing information security awareness in the enterprise

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Data Protection Act 1998  (SearchStorageUK.com) Information Commissioner's Office (ICO)  (SearchStorageUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary