Security Awareness and The Ponemon Institute Study

Security awareness once again appears to be a solution to data breaches.  With negligence being the leading cause for data breaches, it only stands to reason that a robust and effective information security awareness program will go a long way towards the reduction and cost of data breaches.  This why it is paramount for senior management to institute and maintain such a program.  It should not be a cookie-cutter program given to employees just to meet legal and regulatory requirements.  It should be relevant to the industry and company along with security culture changing to the employee.

The average cost of a data breach increased 5 percent in 2010 to $214 per compromised record, according to the sixth annual U.S. Cost of a Data Breach study by the Ponemon Institute.


Indirect breach costs, such as the loss of customers, outweigh direct costs by nearly two to one, according to the study. But direct costs rose five percentage points to account for 34 percent of total costs in 2010, primarily because of increased legal defense expenses.


"The sharp growth in direct costs and slight but persistent decrease in indirect costs over the past three years may indicate that companies are taking their response to data breaches more seriously than ever," according the report's executive summary.


Breach Causes


Among the reports other key findings:


• The leading cause of breaches is negligence, accounting for 41 percent, up from 40 percent in 2009. The cost of these breaches averaged $196 per record, up 27 percent from 2009.


• Of the various causes of data breaches, malicious or criminal attacks increased the most in 2010, now accounting for 31 percent of breaches.


• For the second straight year, abnormal churn or turnover of customers after data breaches appears to be the dominant factor in total data breach cost, the study shows. The industries with the highest 2010 churn rates were pharmaceuticals and healthcare.


• Protecting against viruses, malware and spyware infection was the No. 1 data protection priority for the studied companies in 2010.


• Training and awareness programs remained the most popular post-breach remedies in 2010, mentioned by 63 percent. Expanded use of encryption was the second most popular, at 61 percent.