Negligent insiders are the leading cause of data breaches at U.S. companies and public sector agencies, according to a new study by the Ponemon Institute. At the same time, malicious or criminal attacks are on the rise and are more costly to organizations than data breaches triggered by employees or system glitches, according to the study.
In its report, the 2011 Cost of Data Breach Study, the Michigan-based research organization found that 39% of data breaches in the U.S. involved employee negligence.
“Negligence is definitely a major cause of data breach in government,” Larry Ponemon, chairman and founder of the institute, told AOL Government. “Most of these people are not bad people. They don’t have enough knowledge or they’re rushing. They’re under pressure to get something done. But they take the risk and put their organization in peril.”
Negligent insiders will continue to pose a security threat as new technologies proliferate in the workplace, said Francis deSouza, group president of enterprise products and services at Symantec Corp., which sponsored the report.
Nearly 40% of organizations in the study had a data breach resulting from a lost or stolen mobile device, including tablet computers, smartphones and USB drives that contained confidential or sensitive data.
The Ponemon Institute’s 2011 report–its seventh annual study of the cost of data breaches–was derived from the experiences of 49 U.S. companies and public-sector organizations from 14 different industry sectors. Its survey base included three federal agencies, according to Larry Ponemon, who declined to identify those agencies due to confidentiality agreements.
The study also found that 37% of data breaches concerned a malicious or criminal attack and 24 percent involved system glitches, including a combination of information technology and business process failures.
Notably, malicious or criminal attacks rose to 37% from 31% in last year’s study. Such attacks are also more damaging than other types of breaches, costing $222 on a per capita basis compared to $174 for negligence-based breaches. The report defines “per capita” as the cost per record stolen or lost in a data breach.
On the positive side, the study showed that while data breaches continue to have serious financial consequences for U.S. companies and public sector agencies, the cost of dealing with those breaches has declined for the first time in seven years. Overall, the cost of data breaches has fallen to $5.5 million from $7.2 million in 2010. The per capita cost has dropped to $194 from $214 last year.
Cost broadly encompasses direct and indirect expenses incurred in the course of responding to and resolving a data breach incident. Direct expenses include items such as engaging forensic experts and legal expenditures, while indirect costs can stem from in-house investigations and financial losses due to customer turnover.
The decline in cost suggests that organizations represented in the study have improved their performance in preparing for and responding to data breaches, according to report.
“As the findings reveal, more organizations are using data loss prevention technologies, fewer records are being lost in these breaches and there is less customer churn,” it concluded.
Customer “churn” represents the economic impact of lost or diminished customer trust and confidence. Churn resulting from breaches for government agencies was the lowest among the 14 industry sectors at 0.7%, while financial services organizations experienced the highest churn rate, 5.6%, according to the study.
The reason for the public sector’s low churn rate is that the government’s “customers” simply aren’t able to take their business elsewhere if they lose trust due to data breaches, Larry Ponemon explained.
“The cost that is most difficult to measure for government is lost business,” he said. “What we basically find with government is that it has a monopoly. So if the [Veterans Affairs Department] has a data breach, you may get angry at the VA if you are a victim of that data breach but there’s not an alternative to the VA.”
As a result, analyzing the government’s customer churn rate requires a different framework, he said.
“In a way government agencies get off easy because they have monopoly power but it’s not free,” he said. “When you don’t trust [government] agencies, you do things like stop filing your tax returns using E-file. That results in additional costs because it’s less efficient going back and having to provide services in a conventional way. So there are different types of costs that occur as a result of people losing confidence even if the agency is the only game in town and has a monopoly.”
The report also found that certain management factors can help to reduce the overall cost of data breaches. For example, organizations with a chief information security officer with responsibility for enterprise data protection can reduce the cost of data breaches by as much as 35% per compromised record.
“As organizations of all sizes battle an uptick in both internal and external threats, it makes sense that having the proper security leadership in place can help address these challenges,” Larry Ponemon said.
The study noted that six positive and negative attributes can influence the cost of data breach based on multiple years of researching the cost of data breaches. Of the organizations surveyed:
- 43% have centralized the management of data protection with the appointment of a C-level security professional.
- 41% had a data breach caused by a third party (including protected data in the hands of outsourcers, cloud providers and business partners.)
- 41% notified victims within 30 days or less.
- 39% had a data breach as a result of a lost or stolen mobile device, which included laptops, smartphones, tablets and UBS drives that contained confidential and sensitive information.
- 37% hired consultants to assist in their data breach response and remediation.
Most of the organizations in this year’s study have already experienced a data breach. Only 22% say it is the first time.