The cost of a data breach rose again last year, according to the annual U.S. Cost of a Data Breach Study from the Ponemon Institute. Breach costs are typically higher than companies expect, according to the report. And some costs, such as litigation, can be difficult to predict.
The study, which looked at 45 companies that suffered a breach, also examined methods, both technical and policy-oriented, that organizations employed afterwards. Companies added employee awareness and training programs more often than any other change, according to the report.
The addition of these kinds of programs is “telling,” says Mike Spinney, Ponemon senior privacy analyst, as firms “are often wiser” after a breach. In addition, awareness and training are a relatively inexpensive way to make a big difference, he says.
The average lost record cost companies $204 last year, just slightly more than the $202 it cost a year earlier, but this year’s cost is about 60 percent higher than five years ago, when the first study was released. The total cost to a business of the average breach studied was $6.75 million.
Awareness and training programs were implemented by 67 percent of firms, which was followed by additional manual procedures and controls (58 percent), increased use of encryption (58 percent), and identity and access management solutions (49 percent).
Training and awareness programs can be particularly effective when focused on protecting laptops and other data-bearing devices, Spinney says. Such breaches made up 36 percent of examined cases; their per-record cost was $225, compared to $204 for all records on average.
Organizations could place an identifier on the laptop so that it can’t be mistaken at the airport for a look-alike, and of course, employees should be trained not to leave it unattended. Part of the aim should be explaining the risks and potential costs to employees, he says.
A previous Ponemon study showed that about 40 percent of executives turned off their laptop’s encryption. Policy and training should require that encryption stay on. In most states, missing encrypted laptops are not considered a breach.
In 2006, the U.S. Veterans Administration suffered a breach when a laptop was stolen. In addition to fines and other costs, the agency settled with veterans last year for $30 million. Since the breach, the VA has been making an aggressive effort to strengthen security, according to Charles Gephart, director of IT Field Security Operations at the VA. Technical measures have included requiring government-issued USB sticks, locking down many computer ports, and equipping computers with whitelisting software, he said at a cyber security conference.
The agency has also beefed up its policies and staff training. The most important change has been a “cultural” one, says Gephart, in which “it’s the responsibility of individuals to take care of sensitive data themselves.”