Average cost of a breach is £47 per lost record

If anyone still needed convincing, new research has confirmed that British customers really will desert companies that suffer serious security breaches.

If anyone still needed convincing, new research has confirmed that British customers really will desert companies that suffer serious security breaches. Not only that, but the cost of investigating and responding to a breach generally outweighs the cost of preventing it in the first place.

The conclusions come in a report from the US-based Ponemon Institute which has carried out similar surveys in the US for the last four years. The new report is based on information provided by 21 UK companies that had suffered security breaches in 2007 – 11 of them in financial services, four in retail and the others spread across a range of sectors.

The severity of the losses ranged from 2,500 records to 125,000, and the estimated cost of recovering from the loss, including lost business, ranged from £85,000 to £3.8 million.

The survey found that, on average, 36% of the cost of a breach resulted from a loss of business – in other words, customers taking their business elsewhere. But the effect on customers was patchy across industry sectors. On average, churn rates rose by 2.5% after a breach, and while some companies reported virtually no effect at all, the most seriously affected saw customer churn rise by 7%.

The biggest effects were felt in financial services, where customer trust was most important. This meant that while the average cost of a breach was £47 per record compromised, it was £55 in financial services. The average cost for retailers was £51.

The £47 average cost per record consisted of £15 for detection and escalation; £15 for post-breach measures; and £17 on lost business and increased cost of customer acquisition. Just £1 per record was spent on notifying those involved, which tends to imply that companies did not always notify those affected.

US data breach costs twice as high as UK

As the report comments, a more formal notification regime, as already exists in the US where disclosure is mandatory in most States, would push up the costs. According to Ponemon, the average cost of a data breach in the US is $197 – more than twice the UK cost.

Larry Ponemon, chairman of the Ponemon Institute, said that his US research showed a higher level of customer churn than in the UK, and that abnormal churn in the US could reach more than 8%. He also noted that UK companies tended to devote a higher level of resources to detecting and understanding the causes of any breach. "That may have been influenced by the high proportion of financial services companies in our sample," he admitted.

Although organisations spend much effort and money on warding off hackers, malicious code and malicious insiders, the figures show that carelessness and incompetence are much more significant factors. For instance, 36% of breaches resulted from laptops and other mobile devices going missing or being stolen. The second most significant cause (at 24%) was the loss of paper records.

By contrast, hackers, malicious insiders and malware accounted for just 12% of all incidents.

The research also discovered that while 36% of breaches resulted from lost or stolen laptops and other mobile devices, 38% of breaches were caused by third parties – such as consultants, business partners and outsourcing companies – losing their clients' information.

Losses by third-parties also tended to be more expensive to fix, averaging £59 per record compromised, compared with £42 for breaches that happened within a company.

Guy Bunker, chief scientist for Symantec Corporation, said that despite the low sample size of the survey, he thought it painted an accurate picture. He said that US companies had been forced to take the problem more seriously because they faced the prospect of mandatory disclosure. "Companies in the UK don't really have much of a handle on where data is held, either on laptops or servers," he said. "It's the unstructured data that gets sent around the organisation, and gets stored on laptops, that you need to be able to identify."

He said many of the problems identified in the report could be solved by tightening up processes, such as ensuring the shredding of confidential documents, or the destruction of CD-ROMs when they were no longer needed. ,

The cost of prevention, he said, was far less than the cost of handling a breach. "My gut feeling is that the solution would be about 10% of the cost of the loss. When you look at the most serious loss, £3.8 million, you could get a lot of data loss prevention for 10% of that," he said.

The full report, which was sponsored by PGP and Symantec, is entitled '2007 Annual Study: UK Cost of a Data Breach', and can be downloaded at here.

Read more on Privacy and data protection