The Symantec study delves into the makeup of the cost involved. £37 of this cost is incurred indirectly, from factors such as lost business, reputational damage or churn of existing customers. However, while the cost per record has increased, the overall cost per breach has declined: from £1.9 million in 2010 to £1.75 million in 2011. Symantec believes that this indicates business is beginning to understand the cost and implications of data loss. “We’re noticing,” says Symantec’s Mike Jones, “that companies at risk of data loss are becoming wise to the financial impact of a data breach. These businesses are implementing steps not just to prevent loss but to mitigate the damage, should a breach occur.”
The report also suggests that in some areas customers are becoming desensitized to data loss, with companies less likely to be abandoned by their customers. The ‘average abnormal churn’ has decreased from 3.3% in 2010 to 2.9% in 2011. However, this decrease doesn’t apply to industries like financial services and pharmaceuticals, perhaps suggesting that customers are equally becoming more discerning over what they consider to be personally important.
“We’ve shifted to an age where data breaches are now just a common occurrence,” comments Jones. “As such, UK consumers have become somewhat desensitized to data losses, but that doesn’t mean that businesses should become complacent. The cost of data loss still remains high and, in tighter economic times, even a single digit increase in customer churn can be terminal to profitability.”
Four areas for potential improvement can be deduced from this study. Firstly, it notes that the main cause of data breaches is actually negligence – 36% of data breaches involved negligent employees or contractors. Improved staff training and improved third-party contractual arrangements could therefore reduce breaches dramatically. Secondly, malicious attacks are increasingly successful, from 29% to 31% over the last year, as well as being the most costly. “Accordingly,” says the report, “organizations need to focus on processes, policies and technologies that address threats from the malicious insider or hacker.” Thirdly, the report notes that as much as 47% of the total per capita cost of a breach is from indirect costs. “By taking steps to keep customers loyal,” says Jones, “and repair any damage to reputation and brand through quick reactions and taking the appropriate action, businesses can help to reduce the cost of a data breach.”
Finally, the report also notes the value of a security champion. Organizations with a CISO who has overall responsibility for enterprise data protection can reduce the cost of data breaches by as much as £18 per compromised record.