Data breaches cost £47 per record

The average cost of a data breach is £47 per record, and the bulk of that cost is from lost business, according to new research.

The study, by the Ponemon Institute and sponsored by Symantec and PGP Corporation, contacted every UK company known to have suffered a data breach in the past year. Some 21 organisations across eight sectors replied.

It's the first time the institute has done the study in the UK, after three annual surveys in the US.

The average cost per record lost is £47, the study found. The average total cost for the companies which took part in the survey was £1.4 million, although some topped out at £3.8 million.

Lost business leads to 46 per cent of the total cost of a data breach, as a loss of trust leads to higher churn and higher customer acquisition rates, the study found. Churn climbs by some 2.5 per cent on average, but some firms saw rates as high as four per cent.

The rest of the cost is made up from notification (£1 per record), detection (£15) and ex-post activities (£15), which are the costs after the event to help victims watch their credit or the reissuing of account cards, for example.

"Notification is not the biggest part of the cost," said Phil Dunkelberger, president and chief executive of PGP. "The largest point is loss of customers."

Not surprisingly, records missing from financial institutions are the most expensive, hitting an average of £55. Retail was also higher, at £51. "It's just because of the nature of the business - why do people rob banks, because that's where the money is," said Dunkelberger.

As the NHS and Ministry of Defence have discovered, lost laptops are the most frequent cause of data breaches, leading to some 36 per cent. The use of paper records causes another 24 per cent, while hackers, malicious insiders and malicious code combined lead to just 12 per cent of such incidents.

Putting data in the hands of third-parties doesn't mean it's any safer, as some 38 per cent of data breaches were seen to be caused by external contractors or partners. Not only is that a high number, but the cost of data breaches is also higher when third-parties are involved, bumping the average to £59 from £47.

After a data loss, firms are most likely to invest in encryption and data loss protection technology, followed by identity or access management, endpoint security controls and perimeter controls. "There's no one set of answers out there to stop it," said Dunkelberger.

But he noted that IT departments must stay on top of new developments - citing virtualisation as one new technology which has made security more difficult. "New threats are evolving with technology, things you didn't have to think about before," Dunkelberger said.

"So much of this is about confidence," said Torgny Gunnarsson, Symantec's vice president of the Northern Region, Europe, Middle East and Africa. He asked what would happen if people lost confidence in online banking, and started showing up at their local branch en-mass. "Banks do not have the infrastructure for you and me to be coming into the bank."

The study didn't take into account the social damage a massive data security event could cause. He suggested banks and other institutions take seriously the threat from terrorists, asking what would happen if an attack took UK banks offline for five days, or California was taken off-grid?

Gunnarsson and Dunkelberger took the opportunity to renew calls for UK or EU data breach notification, but said it was necessary to create one legislation for companies to follow. Dunkelberger described the oft-cited American system, which is flawed because each of the 40 states with notification laws has different legislation which requires separate filings. A multinational corporation faces even more different rules, he added.

Gunnarsson said: "The worst thing that could happen is very harsh, detailed restrictive legislation."

Dunkelberger agreed: "Government don't do a good job of legislating technology... we say use best practices."

He stressed the need for safe harbour clauses. "If you've done best practices and are at zero risk of a breach, you shouldn't be penalized," especially as the largest cost of a data breach is in lost business, he said. "Don't punish a business which has done the right thing."

Email to a friend

Print this page

Social Bookmark this article: What is this?

Digg

Delicious

Reddit

StumbleUpon

Slashdot

Google

Facebook