Ponemon and Symantec Find Most Data Breaches Caused by Human and System Errors
Malicious and Criminal Attacks are the Most Costly Worldwide
AUCKLAND – 6 June 2013 – Symantec Corp. (Nasdaq: SYMC) and the Ponemon Institute today released the 2013 Cost of Data Breach Study: Global Analysis, which reveals human errors and system problems caused two-thirds of data breaches in 2012 and pushed the global
average to $136 per record The Ponemon Institute considers customer or consumer data (including payment transactional
information), employee records, citizen, patient and student information as a data record. The cost per record is the
average cost per compromised data record of direct and indirect expenses incurred by the organisation.
. Issues included employee mishandling of confidential data, lack of system controls and violations of industry and
government regulations. Heavily regulated fields – including healthcare, finance and pharmaceutical – incurred breach
costs 70 percent higher than other industries.
The global cost per compromised customer record was up over the previous year, and the United States’ total cost per
data breach incident was down slightly at US$5.4 million. This decline was attributed to the appointment of chief
information security officers (CISOs) with enterprise-wide responsibilities, comprehensive incident response plans and
stronger overall security programmes.
“While external attackers and their evolving methods pose a great threat to companies, the dangers associated with the
insider threat can be equally destructive and insidious,” said Larry Ponemon, chairman, Ponemon Institute. “Eight years
of research on data breach costs has shown employee behaviour to be one of the most pressing issues facing organisations
today, up 22 percent since the first survey.
“Given organisations with strong security postures and incident response plans experienced breach costs 20 percent less
than others, the importance of a well-coordinated, holistic approach is clear,” said Anil Chakravarthy, executive vice
president of the Information Security Group, Symantec. “Companies must protect their customers’ sensitive information no
matter where it resides, be it on a PC, mobile device, corporate network or data centre.”
The eighth annual global report is based on the actual data breach experiences of 277 companies in nine countries
including: the United States, United Kingdom, France, Germany, Italy, India, Japan, Australia and Brazil. The nine
country and global summary reports can be found at http://bit.ly/10FjDik. All of the data breach incidents studied in the reports occurred in the 2012 calendar year. In order to properly track
trend data, the Ponemon Institute does not include “mega data breaches” of more than 100,000 compromised records.
Companies can analyse their own risk by visiting Symantec’s Data Breach Risk Calculator, which takes the organisation’s size, industry, location and security practices into consideration for both a per
record and an organisational estimate.
Additional key findings include:
Average cost per data breach varies widely worldwide. Many of these differences are due to the types of threats that organisations face, as well as the data protection laws
in the respective countries. Some countries such as Germany, Australia, the United Kingdom and United States, have more
established consumer protection laws and regulations to strengthen data privacy and cyber security. United States and
Germany continue to incur the most costly data breaches (at an average cost per compromised record of $188 and $199
respectively). These two countries also had the highest total cost per data breach (United States at $5.4 million and
Germany at $4.8 million).
Mistakes made by people and systems are the main causes of data breach. Together human errors and system problems account for 64 percent of data breaches in the global study, while prior research shows that 62 percent of employees think it is acceptable to transfer corporate data outside the company and the
majority never delete the data, leaving it vulnerable to data leaks. This illustrates the large extent to which insiders
contribute to data breaches and how costly that loss can be to organisations. Brazilian companies were most likely to
experience breaches caused by human error. Companies in India were the most likely to experience a data breach caused by
a system glitch or business process failure. System glitches include application failures, inadvertent data dumps, logic
errors in data transfer, identity or authentication failures (wrongful access), data recovery failures, and more.
Malicious and criminal attacks are the most costly everywhere. Consolidated findings show that malicious or criminal attacks cause 37 percent of data breaches and are the most
costly data breach incidents in all nine countries. U.S. and German companies experience the most expensive data breach
incidents caused by malicious or criminal attackers at $277 and $214 per compromised records, respectively, while Brazil
and India had the least costly data breach at $71 and $46 per record, respectively. German companies were also most
likely to experience a malicious or criminal attack, followed by Australia and Japan.
Some organisational factors decrease the cost. U.S. and U.K. companies received the greatest reduction in data breach costs by having a strong security posture,
incident response plan and CISO appointment. The U.S. and France reduced costs by engaging data breach remediation
consultants.
Symantec recommends the following best practices to prevent a data breach and reduce costs in the event of one:
1. Educate employees and train them on how to handle confidential information.
2. Use data loss prevention technology to find sensitive data and protect it from leaving your organisation.
3. Deploy encryption and strong authentication solutions.
4. Prepare an incident response plan including proper steps for customer notification.
Related
Connect with Symantec
Click to Tweet: 2013 Cost of a Data Breach Study: Mistakes by people & systems caused most data breaches last year: http://bit.ly/14gaIRR
About Symantec
Symantec protects the world’s information, and is a global leader in security, backup and availability solutions. Our
innovative products and services protect people and information in any environment – from the smallest mobile device, to
the enterprise data centre, to cloud-based systems. Our world-renowned expertise in protecting data, identities and
interactions gives our customers confidence in a connected world. More information is available atwww.symantec.com or by connecting with Symantec at:go.symantec.com/socialmedia.
ENDS