Data breaches at U.S. companies
attributed to malicious attacks and botnets doubled from 2008 to 2009
and cost substantially more than breaches caused by human negligence or
system glitches, according to a new Ponemon survey to be released on
Monday.
The incidence of malicious attacks rose from 12 percent in 2008 to 24 percent
last year, according to the 2009 Annual Study: U.S. Cost of a Data Breach survey
conducted by the Ponemon Institute and sponsored by PGP Corp.
The cost per compromised record involving a criminal act averaged $215, about
40 percent higher than breaches from negligence and 30 percent higher than those
from glitches, the survey found.
For the first time, companies reported in the survey that data-stealing
malware caused their breaches.
"A surprising finding is that malicious or criminal attacks increased
substantially. These attacks often utilized data-stealing malware or botnets,"
said Larry Ponemon, founder and chairman of the Ponemon Institute. "We never
experienced this type of data breach in the prior five years. Hence, the nature
of data breach incidents may be changing. In addition, these types of attacks
are much more expensive for participating companies."
The average organizational cost of a data breach increased nearly 2 percent
to $6.75 million in 2009, while the average cost per compromised record per
breach rose only $2 to $204. The most expensive breach in the survey was nearly
$31 million and the least expensive was $750,000.
Meanwhile, 42 percent of all cases reported in the survey involved
mistakes made at third parties, such as outsourcers, and 36 percent of
the cases involved lost or stolen laptops or other mobile devices.
For the study, 45 U.S. companies from 15 different industries were
surveyed. The figures include business costs including expenditures for
detection, notification, and response, as well as the economic impact of
lost or diminished customer trust and confidence as measured by customer
turnover rates.
Asked to comment on criticism that data breaches are over-estimated,
Ponemon said, "We believe our figures are conservative, given that we
exclude future costs such as remediation, legal defense, and fines."
|
