READING, UK. – March 20, 2012
– Symantec Corp. (NASDAQ: SYMC) and Ponemon Institute
today revealed that the average cost of a data breach has risen for the fifth consecutive year. The 2011 Annual Study: UK Cost of a Data Breach
found that the average cost per capita of a data breach rose to £79 per record, up from £71 in 2010 and 68 percent higher than £47 in 2007. Notably, negligent employees or contractors pose the biggest risk to organisations, responsible for over a third (36 percent) of all data breaches.
Despite a rise in cost per record, the report also disclosed that the actual organisational cost of a breach has, in fact, declined from £1.9 million in 2010 to £1.75 million in 2011, suggesting that businesses have improved performance in both preparing and responding to data breaches. Data breaches cost companies an average of £79 per compromised record – of which £37 pertains to indirect costs such as lost business, reputational damage or churn of existing customers.
Mike Jones, Senior Product Marketing Manager, Symantec commented: “We’re noticing that companies at risk of data loss are becoming wise to the financial impact of a data breach. These businesses are implementing steps not just to prevent loss but to mitigate the damage, should a breach occur. It’s not just direct costs – such as fines from The Information Commissioner’s Office (ICO) – that need to be considered, although these help to drive the business case for preventative measures, but also indirect costs such as brand impact and disappointed customers leaving the brand.
While Ponemon Institute takes into consideration the costs of the actual data loss related to records, in recent years there has also been an increased consciousness amongst businesses that valuable intellectual property and private communications can present a great source of risk to a company’s financial stability.
In addition, the report shows a large proportion of data breaches are actually caused by individual negligence. Businesses need to show that they are aware of this and be seen to react in an appropriate way. They need to take protective measures to proactively monitor the level of control and the access to company data that they give to individual employees and prevent accidental or purposeful misuse.”
The report indicates that fewer records are being lost in breaches and businesses that do suffer data loss are less likely to be abandoned by customers, with the average abnormal churn decreasing from 3.3 percent in 2010 to 2.9 percent. Yet, certain industries, such as financial services or pharmaceutical companies, remain more susceptible to customer churn, causing the cost of their data breaches to be higher than the average.
Jones concluded: “We’ve shifted to an age where data breaches are now just a common occurrence. As such, UK consumers have become somewhat desensitised to data losses, but that doesn’t mean that businesses should become complacent. The cost of data loss still remains high and, in tighter economic times, even a single digit increase in customer churn can be terminal to profitability.
“Indirect costs represent 47 per cent of total per capita cost so organisations need to be cautious of this. By taking steps to keep customers loyal, and repair any damage to reputation and brand through quick reactions and taking the appropriate action, businesses can help to reduce the cost of a data breach. It’s interesting that spend on public relations and communications costs have steadily risen since 2007, increasing by 5 per cent.”
Malicious or criminal attacks have increased slightly from 29 per cent to 31 percent and are the most costly for organisations. Accordingly, organisations need to focus on policies, processes and technologies that address threats from the malicious insider or hacker. Likewise, certain organisational factors can reduce overall costs. The report showed that for those organisations with a CISO that has overall responsibility for enterprise data protection, the average cost of a data breach can be reduced as much has £18 per compromised record.
Companies can analyse their own risk by visiting Symantec’s Data Breach Risk Calculator
. Based on six years of trend data, the calculator takes into account an organisation’s size, industry, location and security practices to estimate how much a data breach would cost on both a per record and organisational basis.
About Ponemon Institute
Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organisations in a variety of industries.
Symantec is a global leader in providing security; storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com
NOTE TO EDITORS:
If you would like additional information on Symantec Corporation and its products, please visit the Symantec News Room at http://www.symantec.com/news
. All prices noted are in U.S. dollars and are valid only in the United States.
Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The fifth annual Ponemon Cost of a Data Breach report sponsored by Symantec is based on the actual data breach experiences of 36 UK companies from 11 different industry sectors, including the financial sector, government and telecommunications. It takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after-the-fact (ex-post) response. The study also analyses the economic impact of lost or diminished customer trust and confidence as measured by customer churn or turnover rates. Results were not hypothetical responses; they represent cost estimates for activities resulting from actual data loss incidents. This is the fifth annual UK study of this issue.