Cyber Access Control | MFA Enterprise Password Management | Access Smart

Data Breach Costs Drop Misleads while Cyberattacks Increase

A Data Breach can still bankrupt a business

Network Access AuthenticationIn Ponemon Institution’s annual “Cost of Data Breach Study” shows that the cost per record lost and the average cost of a data breach dropped in 2011. The cost per record dropped from $214 to $194, and from an average breach cost from $7.2M to $5.5M. The decline is credited to organizations being better prepared for and responding to a data breach. Here are some of the reasons for the drop:

  •          The decrease in per capita breach costs
  •          The average size of a data breach
  •          The decrease in abnormal customer churn
  •          A drop in the average total cost of a data breach response

While this may seem great news, don’t let your guard down just yet. All this is showing is that the costs to a company are dropping, and having a plan and response team will lower a company’s costs. From another industry report, Symantec claims that the number of attacks increased 81% from 2010 to 2011.

Ponemon Institution Statistics.

The top three costs to a company from a breach include:

  •          Lost customer business:                37%
  •          Legal Defense Services:                 15%
  •          Investigations & forensics:              11%

In 2011 the top three sources of data breaches were:

  •          Network breaches:                         56.4%
  •          ICS and SCADA Vulnerabilities:      15.4%
  •          Hacker (Hacktivist) attack:              14.1%

The root cause distribution of the breach is evenly divided between three groups:

  •          Employee Negligence:                    39%
  •          Malicious or Criminal Attacks:         37%
  •          System Glitch:                               24%

After a data breach, the top preventive measures and controls include:

  •          Training an awareness programs: 53%, but dropping each year for the past 3 years
  •          Expanding the use of encryption: 52% but dropped from FY 2010
  •          Additional Manual procedures and controls: 49%, but dropping each year for the past 3 years
  •          Identity and access management solutions: 47% but dropped from FY 2010

Symantec Statistics

In reviewing Symantec’s statistics it is discovered that attacks are on the rise. The report states that data breaches are focused on all organizations regardless of size. In 2011 there were:

  •          5.5 billion attacks worldwide compared to 3.8 billion in 2010
  •          403 million unique samples of malicious code
  •          daily web-based attacks increase of 36%
  •          attackers using simple tools to target vulnerabilities
  •          cybercriminals placing spam on social network sites
  •          58% of company attacks aimed at the personnel dept., public relations and sales
  •          1.1 million personal records, on average, stolen in an attack


The Ponemon Institution is a very well respected organizations but their data breach cost reduction headline is misleading.  They did not include attacks over 100,000 records in the survey. Ponemon’s response is, “They are not representative of most data breaches and including them in the study would skew the results.” You can only imagine which way the results would be skewed, and if you are the victim you really don’t care about the statistics. The Symantec data does not agree on the average number of records stolen per data breach.

The Symantec reports that attacks are increasing, the number of records stolen is increasing and that people are still the weakest link because of social networking, lost computers, cloud, Bring Your Own Devices (BYOD) [or as I like to say Bring Your Own Demise] and clicking on attachments. There is no silver bullet here in that a single security component will eliminate the risk. The only strategy is to put in enough barriers to make the time and effort to attack too long while at the same time keeping legitimate access convenient for employees.

Here are 5 tips that must be done by every company:

  1. Deploy a multi-factor, password manager that is incorporated into the employee’s ID badge.
  2. Encrypt all data stored on every media
  3. Segment the security classification of all data to determine access rights and storage location
  4. Don’t jump into the cloud without first knowing the security risks
  5. Run annual security audits and evaluations because the treats are changing daily

Please contact Access Smart if you would like a free consultation of security precautions and to learn more about our partner’s products and services.