Actu
Ulf Mattsson, Chief Technology Officer, Protegrity:Ponemon Says Average Cost of a Data Breach Rises 7 Percent in 2010
May 2011 by Ulf Mattsson, CTO, Protegrity Corporation
According to a new report by the Ponemon Institute, the average cost of a data breach for U.S. companies rose 7 percent between 2009 and 2010 to $7.2 million. To say this is a serious issue is a huge understatement.
I enjoyed Tony Bradley’s analysis of the study in PC World in which he cites the high costs of recent breaches at that Alaska Department of Education and the University of South Carolina. If the situation is bad within the education industry, what does that mean for all the others? According to Ponemon’s study, the education industry ranks only 8th in terms of the average number of compromised files each year, behind consumer products, technology, retail, industrials, government, health care and communications.
Another alarming standout trend is the significant jump in malicious attacks companies have experienced over the past two years. According to the study, malicious attacks were the main cause of 31 percent of the data breaches examined by Ponemon, up from 24 percent in 2009 and 12 percent in 2008. These attacks also cost companies the most money because they are harder to detect, investigate and contain.
In his blog, Larry Ponemon was reassured to find that companies are being more proactive about protecting themselves from malicious threats. While I agree that this is a good sign, I am far more concerned about the fact that data breach costs are still rising despite these efforts among companies to be more proactive.
Staying ahead of the bad guys is not an easy task and organizations will need to deploy defense in depth strategies that protect all possible data fields that are at risk of an attack. As I’ve spoken out about before, emerging data security approaches like tokenization offer a lot of promise to companies in this area.
Finally, the Ponemon study also showed how organizations view different data compliance regulations in terms of their importance and difficulty. Not surprisingly, PCI DSS regulation as well as U.S. state data breach and privacy laws were of greatest concern to respondents. I believe that data security standards such as PCI DSS are an important part of the longer term solution, but the industry really needs to move faster to avoid a situation of delivering too little, too late.
