Press Release

LinkedIn Facebook Twitter RSS

Data breach cost hits UK organisations for £1.9 million per incident in 2010

Symantec-sponsored Ponemon study highlights hostile attacks as the most expensive data breach for UK organisations
READING, UK. –March 21, 2011 – Symantec Corp. (NASDAQ: SYMC) and the Ponemon Institute today revealed that the cost of a data breach has risen for the third consecutive year. The 2010 Annual Study: UK Cost of A Data Breach report found that the average data breach incident cost UK organisations £1.9 million or £71 per record, an increase of 13 percent on 2009, and 18 percent on 2008. The incident size ranged from 6,900 to 72,000 records, with the cost of each breach varying from £36,000 to £6.2 million. The most expensive incident increased by £2.3 million compared to 2009.

Hostile attacks reign as the most expensive data breach for UK organisations. The 2010 study found that malicious or criminal attacks accounted for 29 percent of all data breaches, increasing from 22 percent over 2009. When information is compromised in this way, costs are at their highest, at an average of £80 per record, up £4 on 2009. The expenses associated with a data breach range from detection, escalation, notification, and customer churn due to diminished trust.

Key findings from the study include:
  • System failure overtook the insider as the most common threat. In this year’s study, 37 percent of all cases involved a system failure, up 7 per cent on 2009 and accounts for the biggest rise of any data breach attribute. It replaced negligence, which at 34 percent dropped 11 points. Lost or stolen devices and third-party mistakes each fell slightly. Malicious or criminal attacks rose 5 points to 29 percent.
  • Recognition of the risk of insecure mobile devices connecting to company networks jumps to 64 per cent. The likelihood of insecure mobile devices including smartphones and tablet computers accessing company data is 84 percent - an increase of 9 percent on 2009. Organisations are recognising this risk with 64 percent stating mobile device encryption was very important or important, an increase of 13 points from 2009.
  • Lost business ranked as the biggest contributor to overall data breach costs. Recovering customers, profits and business opportunities after data breaches posed the greatest cost hurdles for companies in 2010. Lost business accounted for 48 percent of the total, an increase of 2 percent from 2009. Other contributing factors were costs sustained in the immediate aftermath of the event, such as resetting accounts and communicating with customers (known as ex-post response) at 23 percent and costs related to detection / escalation at 20 percent.
  • Encryption and other technologies are gaining ground as post-breach remedies, with strengthening perimeter controls coming in third place. 75 percent of respondents use endpoint security solutions after data breaches; this is up significantly from 59 percent in 2009. Encryption is the second most implemented preventive measure as a result of a data breach, with 70 percent. Strengthening perimeter controls came in at 69 percent.
  • Breaches involving third-party mistakes became a lower concern. Data breaches from third-party mistakes decreased marginally in 2010 to 34 percent, down 2 points. The cost of such breaches fell as well, down £7 (9 percent) to £74 per record. The drop may indicate that whilst the security of outsourced data remains important, those breaches became a lower priority in 2010.
  • Responding rapidly to data breaches costs companies slightly more than if they take one month or longer. Quick responders (companies that notify victims within one month) had a per record cost of £72. The equivalent cost for companies that take longer than a month was £1 less per record (£71). This is a reversal from last year when faster companies benefitted from 19 percent less costs by reporting earlier. Regulatory compliance pressures may explain these factors, as The Information Commissioner’s Office (ICO) received new enforcement powers in 2010, encouraging a more serious approach to compliance in order to avoid heavy fines.
Symantec recommends organisations implement the following best practices, whether or not they have suffered a data breach:
  1. Assess risks by identifying and classifying confidential information
  2. Educate employees on information protection policies and procedures, then hold them accountable
  3. Deploy data loss prevention technologies which enable policy compliance and enforcement
  4. Proactively encrypt laptops to minimise consequences of a lost device
  5. Integrate information protection practices into businesses processes
The fourth annual Ponemon Cost of a Data Breach report sponsored by Symantec is based on the actual data breach experiences of 38 UK companies from 13 different industry sectors, including the financial sector, government and telecommunications. It takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after-the-fact (ex-post) response. The study also analyses the economic impact of lost or diminished customer trust and confidence as measured by customer churn or turnover rates. Results were not hypothetical responses; they represent cost estimates for activities resulting from actual data loss incidents. This is the fourth annual UK study of this issue.

Companies can analyse their own risk by visiting Symantec’s Data Breach Risk Calculator. Based on six years of trend data, the calculator takes into account an organisation’s size, industry, location and security practices to estimate how much a data breach would cost on both a per record and organisational basis.

Supporting Quotes
“We continue to see an increase in the costs to businesses suffering a data breach,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Regulators are cracking down to ensure organisations implement required data security controls or face harsher penalties. Confronted with both malicious and non-malicious threats from inside and outside the organisation, companies must proactively implement policies and technologies to mitigate the risk of costly breaches.”
“At a time when businesses in the UK remain economically cautious, protection of IP to remain competitive and avoidance of potentially large fines are key. With the average cost of a data breach for UK organisations rising to £1.9 million, securing information clearly continues to challenge organisations at all levels, but the vast majority of these breaches are preventable,” said Robert Mol, director of product marketing, Europe, Middle East and Africa, Symantec. “The study shows how companies with information protection best practices in place can greatly lower their potential data breach costs. Information-savvy organisations are protecting the data itself wherever it is stored or used, and also creating a culture of security including training, policies and actions.”
About the Ponemon Institute
The Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organisations in a variety of industries.

About Symantec
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.


NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please visit the Symantec News Room at http://www.symantec.com/news. All prices noted are in U.S. dollars and are valid only in the United States.

Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.