Imagine this scenario – you’ve just discovered hackers have reached into your system, pulled your customers’ records, and cost you both your reputation and the business of some of your customers.
So now it’s time to do the math. How much, in dollars and cents, will this data breach cost your business? Security solutions provider Symantec Corp. and researchers from the Ponemon Institute have a good idea – based on companies’ past experiences, a business fallen prey to a data breach could be looking at a cost of around $3.1 million.
In a recent study, Symantec and the Ponemon Institute polled about 1,400 people from 277 different organizations in nine countries. While none of the companies polled were Canadian, and Canada is known for being more concerned about privacy than its U.S. counterpart, there may be similar patterns across North America, says Larry Ponemon, chairman of the Ponemon Institute.
And there are still some lessons to be learned from others’ experiences with data loss through criminal or malicious attacks, he adds.
“What we’re really trying to understand is, do companies try to change their ways and become better, learning from the negative. And the answer is in part they do, but not every organization does a whole lot,” he says.
The average consolidated data breach cost a company about $136 per lost record, while the average number of records lost per data breach in 2012 was about 23,647. Considering a company can lose anywhere from 2,300 to more than 99,000 records in a single data breach, the cost is a hefty one that quickly adds up.
Costs increase per record, depending on the sector – for example, a lost record in healthcare could cost a business as much as $233, with the financial sector following closely at $215. At the lowest end of the spectrum was retail, coming in at $78 per lost record.
To calculate the average cost of a data breach, the Ponemon Institute collected information on both a company’s direct and indirect expenses. If a data breach occurs, direct expenses include hiring forensic experts, outsourcing hotline support for disgruntled customers, providing free credit monitoring subscriptions and future discounts on products and services, aimed at compensating these customers.
Yet there are also indirect expenses – for example, getting in-house investigations underway, as well as the cost of losing unhappy customers and failing to acquire new ones.
It would be a lot for any company to absorb, but businesses can mitigate their risk by preparing for pitfalls.
The main reasons for data breaches are human errors, system problems, and malicious or criminal attacks, the Ponemon Institute report found. Culprits include employees who mishandle information, breaking government and industry regulations, and failing to have system controls in place. All told, 35 per cent of data breaches were due to human error, 29 per cent happened because of system glitches and 37 per cent occurred thanks to malicious or criminal attacks.
“Your employees can be the biggest risk but also your best defense against data breaches,” said Linda Park, senior product marketing manager at Symantec. She recommends employees be trained to handle sensitive data.
“What we recommend is having defense in depth, a multi-layered approach to securing your network,” she says. “Specifically, we’re talking about secure technologies like data loss prevention as well as encryption and strong authentication.”
Symantec also provides an online tool that businesses can use to estimate how much a data breach might cost them. The data breach calculator can be found here.
Yet the issue of data security only becomes thornier with more and more businesses adopting a bring your own device (BYOD) policy and allowing employees to connect personal devices to their networks, Park adds.
“We’re seeing employees who are admitting to … downloading intellectual property to their mobile devices, and they’re actually propagating it out to cloud-based services,” she says. “No one’s ever cleaning that up, so we definitely see BYOD as coming in [as] a larger priority.”
BYOD also complicates matters since devices may also contain personal information, meaning a company may not have the right to wipe the device’s data if it is compromised, Ponemon says.
And many businesses’ employees still seem complacent when it comes to security – something that needs to change as BYOD only grows in the workplace, he adds.
“We’re not trying to find out … what bad people are doing, but what good people are doing, the mistakes people make.”