More for Virgins, Less for Screw-ups: The surprising cost of data breaches

In its fourth annual study on data breaches, the Ponemon Institute examined the costs of 43 companies that had been hit by a data breach. The study found, not surprisingly, that the cost per record breached had risen (actual numbers coming up).

I have always thought it ironic that one of the biggest obstacles to getting organizations to take action on issues of data privacy and security is a lack of data, namely data about what a security failure might cost. If known, that cost can then be weighed against the cost of putting security measures in place.

After all, Adam and Eve did not cover their bodies in the garden of Eden,  likewise organizations operating in crime-free utopias have no need to spend money to protect against data exposures. In the real world, however it is sad but true that a certain percentage of people are not sufficiently constrained by either personal ethics or a fear of consequences and go about steal data for personal gain.

Thus the need for security spending to avoid the costs, which are now averaging over $200 per record. So, next time you read a story about some bank or retailer exposing thousands of records, you can just multiply by $200 to figure the hit they have just taken).

This study is more good work by Larry Ponemon and the Ponemon Institute. Consistently reliable data over time is particularly useful. For example, if you read up on all the data breaches that have been happening you might have formed the impression that more of them are now coming from third parties, i.e. people who process customer data for retailers, banks, etc. And the survey shows that yes, third party data breaches were reported by more organizations in 2008 than in 2005 (21% then, 44% now). Less predictable perhaps is the finding that third party data breaches are more expensive, $231 per compromised record versus an overall average of $202.

As you might expect, breaches experienced by data loss "virgins" are more costly, $243 versus $192 for "experienced" companies, sardonically referred to as "repeat data screw-ups" by Larry Dignan in the TechRepublic blog post referenced at the beginning of this post. What surprised and saddened me is that more than 84% of all cases examined by Larry Ponemon's team were repeat data breach offenders.

Sadly, until there is an uptick in the general standards of human behavior, things are likely to carry on like this. Data entrusted to the feckless will be exposed by the lawless, innocent lives will be disrupted, money will be lost, and the cost to defend against miscreants will mount.

No comments:

Post a Comment