According to the 2013 Cost of a Data Breach Study from Ponemon and Symantec, issues included employee mishandling of confidential data, lack of system controls, and violations of industry and government regulations. Heavily regulated fields including healthcare, finance and pharmaceuticals incurred breach costs that were 70% higher than other industries.
"While external attackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destructive and insidious," said Larry Ponemon, chairman of the research firm. "Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organizations today, up 22% since the first survey."
Together, human errors and system problems account for 64% of data breaches in the global study, while prior research shows that 62% of employees think it is acceptable to transfer corporate data outside the company – and the majority never delete the data, leaving it vulnerable to leaks. This illustrates the large extent to which insiders contribute to data breaches and how costly that loss can be to organizations.
Brazilian companies were most likely to experience breaches caused by human error. Companies in India were the most likely to experience a data breach caused by a system glitch or business process failure. System glitches include application failures, inadvertent data dumps, logic errors in data transfer, identity or authentication failures (wrongful access) and data recovery failures.
Interestingly, while the global cost per compromised customer record was up over the previous year, the total cost per data breach incident in the US was down slightly at $5.4 million. This decline was attributed to the appointment of chief information security officers (CISOs) with enterprise-wide responsibilities, comprehensive incident response plans and stronger overall security programs.
"Given organizations with strong security postures and incident response plans experienced breach costs 20% less than others, the importance of a well-coordinated, holistic approach is clear," said Anil Chakravarthy, executive vice president of the Information Security Group at Symantec. "Companies must protect their customers' sensitive information no matter where it resides, be it on a PC, mobile device, corporate network or data center."
That’s not to say the US should be patting itself on the shoulder though: even with the decline, the US and Germany continue to incur the most costly data breaches (at an average cost per compromised record of $188 and $199, respectively). These two countries also had the highest total cost per data breach (Germany came in at $4.8 million per incident).
Beyond those two “leaders,” the study found that the average cost per data breach varies worldwide. Many of these differences are due to the types of threats that organizations face, as well as the data protection laws in the respective countries. Some countries such as Germany, Australia, the UK and the US have more established consumer protection laws and regulations to strengthen data privacy and cybersecurity.
While inside issues are the main drivers for breaches, malicious and criminal attacks still account for 37% of breaches and are the most costly everywhere. The US and Germany once again lead the pack, boasting the most expensive data breach incidents caused by malicious or criminal attackers ($277 and $214 per compromised record, respectively). German companies were also most likely to experience a malicious or criminal attack, followed by Australia and Japan.
Brazil and India had the least costly data breaches at $71 and $46 per record, respectively.