The new security reality


The Ponemon Institute's most  recent study of the costs of data breaches has uncovered something interesting: For the first time in seven years, the organizational costs of data breach and the costs per lost or stolen record have declined.

Organizational costs fell from $7.2 million to $5.5 million and the costs per record fell to $194 from $214, the all-time high. The study defines a record "as information that identifies an individual whose information has been compromised in a data breach." The results concludes that organizations "have improved their performance in both preparing for and responding to a data breach. As the findings reveal, more organizations are using data loss prevention technologies, fewer records are being lost in these breaches and there is less customer churn."

Indeed, more than 45 states have enacted laws requiring the owners of PII to inform affected individuals of data security breaches. So there is a powerful incentive to take security more seriously. The study also documented that "fewer customers are abandoning companies that have a data breach." In addition, lost-business costs fell sharply from $4.54 million in 2010 to $3.01 million in 2011. These costs refer to abnormal turnover of customers (a higher than average loss of customers for the industry or organization), increased customer acquisition activities, reputation losses and diminished goodwill.

So what to make of these trends?

No doubt they are good news for many in the industry. There was a time when the very survival of a company was in question after a major breach. Since then, there  have been so many high-profile breaches of major companies--the likes of Google, Sony and EMC, to name a few--that we've become all too accustomed them, for better or worse.

What we're seeing now is the institutionalization of data breaches. They have become part of the IT fabric, an accepted cost of doing business. We no longer think in terms of zero security incidents but in terms of mitigating the harm after an incident occurs. Customers seem to accept the reality of breaches and are willing to forgive as long as you do right by them.

So in a sense, it's become like pest control. You cannot hope to eradicate ants in your home, you can only hope to contain them. And yet you have to remain vigilant about control. Costs could easily balloon if you let your guard down. -Jim

Filed Under