SYDNEY, Australia. – June 6th, 2013 – Symantec Corp. (Nasdaq: SYMC) and the Ponemon Institute today released the 2013 Cost of Data Breach Study: Global Analysis which reveals human errors and system problems caused the vast majority of data breaches globally in 2012, while malicious attacks were the major cause of data breaches in Australia. In addition, the global cost of data breaches has increased over the previous year, and within Australia, the average total organisational cost per data breach increased from $2.16 million in 2011 to $2.72 million in 2012 – a 23 percent increase.
"While external attackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destructive and insidious," said Larry Ponemon, chairman, Ponemon Institute. "Eight years of research on data breach costs has shown employee behaviour to be one of the most pressing issues facing organisations today, up 22 percent since the first survey."
"With the cost and severity of data breaches in Australia increasing year on year, the introduction of a mandatory data breach notification law could not be more timely. Mandatory breach notification is an important milestone for the protection of data in this country," said Brenton Smith, vice president and managing director, Pacific region, Symantec. "Mandatory breach notification ensures that in the unfortunate event of a data breach, consumers are provided with the information required for them to take the necessary remedial steps."
"Given organisations with strong security postures and incident response plans experienced breach costs 20 percent less than others, the importance of a well-coordinated, holistic approach is clear," said Anil Chakravarthy, executive vice president of the Information Security Group, Symantec. "Companies must protect their customers' sensitive information no matter where it resides, be it on a PC, mobile device, corporate network or data centre."
The eighth annual global report is based on the actual data breach experiences of 277 companies in nine countries including the United States, United Kingdom, France, Germany, Italy, India, Japan, Australia, and Brazil. The nine country and global summary reports can be found at http://bit.ly/10FjDik. All of the data breach incidents studied in the reports occurred in the 2012 calendar year. In order to properly track trend data, the Ponemon Institute does not include "mega data breaches" of more than 100,000 compromised records.
Companies can analyse their own risk by visiting Symantec's Data Breach Risk Calculator which takes the organisation's size, industry, location and security practices into consideration for both a per record and an organisational estimate.
Additional key findings include:
- Average cost per data breach varies widely worldwide. Many of these differences are due to the types of threats that organisations face, as well as the data protection laws in the respective countries. For the fourth consecutive year in Australia, the cost per lost or stolen record and the total organisational cost increased. In 2011, the cost in Australia was $138 and increased by $3 to $141 in 2012.
- Malicious or criminal attacks are most often the root cause of the data breach and are the most costly. 43 percent of Australian organisations say the root cause of a data breach was a malicious or criminal attack. This increased from 36 percent in 2011. Thirty-three percent of breaches involved negligent employees or contractors and 24 percent say it was due to IT and business process failures. In addition, the per capita cost of a data breach caused by data theft or abuse averaged $159. In comparison, the cost of a data breach involving a system glitch or negligent employee (human factor) cost $131 and $125 per compromised record, respectively.
- Fewer Australian customers are abandoning the organisation following the data breach. Average churn rates decreased from 3.4 percent to 2.9 percent, which means fewer customers are leaving organisations following a data breach. Despite declining churn, certain industries, such as financial, service companies and technology are more susceptible to high customer churn, which causes their data breach costs to be higher than other industries.
- Some organisational factors decrease the cost. U.S., U.K. and Australian companies received a reduction in data breach costs by having a strong security posture, incident response plan and CISO appointment.
- Other factors increase the cost. Third party errors and the quick notification of data breach victims, regulators and other stakeholders caused some companies to realise the greatest increase in data breach costs. Some companies also had the greatest increase in the cost of data breach if the incident involved a lost or stolen device.
Symantec recommends the following best practices to prevent a data breach and reduce costs in the event of one:
- Educate employees and train them on how to handle confidential information.
- Use data loss prevention technology to find sensitive data and protect it from leaving your organisation.
- Deploy encryption and strong authentication solutions.
- Prepare an incident response plan including proper steps for customer notification.
Connect with Symantec
Symantec protects the world's information, and is a global leader in security, backup and availability solutions. Our innovative products and services protect people and information in any environment – from the smallest mobile device, to the enterprise data centre, to cloud-based systems. Our world-renowned expertise in protecting data, identities and interactions gives our customers confidence in a connected world. More information is available at www.symantec.com or by connecting with Symantec at: go.symantec.com/socialmedia.
NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please visit the Symantec News Room at http://www.symantec.com/news. All prices noted are in U.S. dollars and are valid only in the United States.
Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.