The cost of data breaches in the UK is continuing to rise, with those caused by malicious or criminal attacks costing more than any other, according to new research by the Ponemon Institute.
The average data breach costs UK organisations £1.9 million, an increase of 13 percent from 2009, and 18 percent from 2008. The report, which was sponsored by Symantec, found that incidents ranged from 6,900 to 72,000 records, with the cost of each breach varying from £36,000 to £6.2 million.
“Securing information clearly continues to challenge organisations at all levels,” said Robert Mol, director of EMEA product marketing for Symantec. “Information-savvy organisations are protecting the data itself wherever it is stored or used, and also creating a culture of security including training, policies and actions.”
The research found that system failure had overtaken ‘the negligent insider‘ as the most common threat, with 37 percent of all cases involving a failure of policies or technology. Meanwhile, the problem of employee negligence dropped 11 points from 2009, to represent 34 percent of data breaches. The sharp drop in breaches due to negligence may be due to increased awareness of data breaches and more conscientious efforts to prevent them, the report stated.
Ironically, however, those companies that responded quickly to data breaches ended up paying more than those that waited more than a month to report the breach. This is a reversal from last year when faster companies benefited from 19 percent lower costs by reporting earlier.
This may be a result of regulatory compliance pressures, after the Information Commissioner’s Office (ICO) was given greater powers of regulation in 2010. Companies that fall foul of the data breach laws now risk a maximum fine of £500,000, although few penalties have been issued.
“Regulators are cracking down to ensure organisations implement required data security controls or face harsher penalties,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. Confronted with both malicious and non-malicious threats from inside and outside the organisation, companies must proactively implement policies and technologies to mitigate the risk of costly breaches.”
The ICO issued its first data loss fines in November 2010, after months of apparent inaction. Hertfordshire County Council was ordered to pay a fine of £100,000 for revealing details of a sex abuse case to a member of the public, and employment agency A4e was fined £60,000 for losing a laptop which contained the unencrypted details of thousands of people.
More recently, Ealing Council was hit with a £80,000 fine and Hounslow Council was charged £70,000, for losing laptops that contained sensitive personal data. Deputy ICO commissioner David Smith said the two councils were paying the price for lax data protection practices.
US Commerce Secretary Gina Raimondo says Huawei's flagship smartphone chip 'years behind' US technology, shows…
Cloud companies, business user groups say Broadcom price changes do not address their concerns, as…
Dating app Grindr sued over claims it shared sensitive user data, including HIV status, with…
Meta Platforms opens operating system behind Quest virtual reality headsets to third parties amidst competition…
European Commission may ban rewards feature in recently launched TikTok Lite that it calls 'toxic…
US House of Representatives passes new bill combining TikTok measures with foreign aid, may face…
View Comments
The latest data from the Ponemon Institute serves as a stark reminder of the costs of lax data security to UK businesses.
Failure to clamp down on data security has real and painful consequences for any organisation, putting jobs at risk, generating lasting bad press and eroding what are already fragile revenues in the current economic climate.
Worryingly, the significant figure of £1.9 million average cost per incident, or £71 per compromised record, does not account for the ability of the Information Commissioner’s Office to fine companies in the UK up to £500,000 for each instance of a data protection failing is taken into account.
The growth in the cost of a data breach represents the knock-on effect of increased mobile device use in the workplace, including removable storage, as well as an increasingly lax attitude to protecting not only removable storage devices but data in all its forms. Some 64 per cent of those surveyed by Ponemon acknowledged the risk post by mobile devices to data security, while 84 per cent said that insecure mobile devices were likely to have accessed corporate data in some form.
Fortunately, the Ponemon Institute report shows investment is increasing as companies look to correct such oversights before they become systemic. The value of such an investment is certainly attractive in comparison to the costs of a data breach.
Organisations need to better understand the source of risk
Once again, UK data breach costs are rising, to an average of £71 per record. Data breaches can create catastrophic bad press and can have a painful impact on the bottom line. Coupled with the new powers of the Information Commissioner’s Office to fine companies in the UK upwards of £500,000 for each instance of a data protection failing, the final overall cost of a breach or loss could very quickly dwarf the £1.9 million revealed by this. The fact that policy failures accounted for the biggest proportion, 37%, indicates that while companies are heavily investing in intrusion prevention, they are not properly managing access by their own employees to critical data such as customer information or patient records. Organisations need to better understand where their greatest sources of risk reside as well as who is accessing sensitive data, how and why. It is the organisation’s responsibility to stringently manage policy and track activity to make sure that access to the most sensitive data is only granted to those for whom it is necessary to do their jobs.
Marc Lee, EMEA Sales Director, Courion
The Ponemon Institute’s research is in line with the findings of our recent study of data leakage incidents amongst large UK businesses. This revealed that reputation damage, loss of competitive edge, and loss of suppliers and customers were top consequences of data breaches. It also showed that some businesses leave it until after an event to make necessary changes to their security posture. Emergency changes like these, often under the close scrutiny of stakeholders, are far more expensive and disruptive than planned improvements. The message is clear: data breaches will happen, and businesses need to act now to have a hope of reducing fallout from them.
Linked to this, we also found that building a business case for investment in data leakage prevention is a top challenge for the IT team – perhaps explaining the reactive approach taken by some businesses. In the past, risks from data leakage have been hard to quantify, and a business case for investment in security measures has consequently been difficult to build. Now, though, there are plenty of examples that businesses can draw on to help build a case for investment. The Ponemon Institute’s study and others, like ours, can add to this. Most importantly, organisations should conduct a risk assessment, which will provide an overview of a business’s security posture, the criticality or sensitivity of its data, and the possible consequences of a data leak. Only through such an assessment will businesses gain a comprehensive view of their security posture, and be able to weigh this against their appetite to risk, and in turn decide what data leakage prevention, if any, is necessary to lower risk to an acceptable level.
Chris Jenkins, Director - Security, Dimension Data UK