Average cost of data breaches to UK firms hits £1.9m in 2010

The cost of a data breach has risen for the third consecutive year to an average of £1.9m according to an annual study by the Ponemon...

The cost of a data breach has risen for the third consecutive year to an average of £1.9m according to an annual study by the Ponemon Institute.

This figure is up 13% on 2009, and 18% on 2008, the survey of 38 UK companies from 13 different industry sectors revealed.

The cost of data breaches in the past year ranged from £36,000 to £6.2m, the Symantec-sponsored study found.

"We continue to see an increase in the costs to businesses suffering a data breach," said Larry Ponemon, chairman and founder of the Ponemon Institute.

Confronted with both malicious and non-malicious threats from inside and outside the organisation, companies must proactively implement policies and technologies to mitigate the risk of costly breaches, he says.

Hostile attacks caused the most expensive data breaches for UK organisations, costing an average of £80 per record, up £4 on 2009.

Malicious or criminal attacks accounted for 29% of all data breaches in 2010 the study found, up from 22% the year before.

The cost is made up of expenses associated with detection, escalation, notification, and customer churn due to diminished trust, the report says.

Lost business ranked as the biggest contributor to overall data breach costs, accounting for 48% of the total, an increase of 2% from 2009. Costs for resetting accounts and communicating with customers made up 23% of the total and costs related to detection and escalation made up 20%.

System failure overtook the insider as the most common threat, with 37% of cases involving a system failure, up 7% on 2009.

In 2010, system failure replaced negligence, which at 34% dropped 11 points. Lost or stolen devices and third-party mistakes each fell slightly. Malicious or criminal attacks rose 5 points to 29%.

According to the report, the likelihood of insecure mobile devices, including smartphones and tablet computers, accessing company data is 84%, an increase of 9% percent on 2009. But organisations are recognising this risk, with 64% stating mobile device encryption was important, an increase of 13 points from 2009.

Encryption and other technologies are gaining ground as post-breach remedies, with strengthening perimeter controls coming in third place. Three quarters of respondents use endpoint security solutions after data breaches, up from 59% in 2009, 70% opt for encryption, and 69% choose to strengthen perimeter controls.

Data breaches from third-party mistakes decreased marginally in 2010 to 34%, down 2 points. The cost of such breaches was down 9% to £74 per record.

"The study shows how companies with information protection best practices in place can greatly lower their potential data breach costs," said Robert Mol, director of product marketing, Emea, for Symantec.

Information-savvy organisations are protecting the data itself wherever it is stored or used, and also creating a culture of security including training, policies and actions, he said.

Read more on IT risk management