Costs of a data breach falling, but cost per record rising

The cost of a data breach in the UK is falling, data from Ponemon Institute shows, but the news isn't all good.

The average cost of a security breach involving personal information in the UK has climbed to £79 per record, according to the findings of a study by the Ponemon Institute. Breaches in certain industries are especially expensive, exceeding £100 per record in financial services and pharmaceuticals.

You need someone who can deal with individual departments in an organisation and identify the business impact of a breach.

Mike Jones,

The 2011 Cost of Data Breach Study: United Kingdom (.pdf) report, sponsored by Symantec and published earlier this month, showed the cost per record lost has risen by 68% during the last five years.

The study was conducted by the Ponemon Institute, a US-based research company, as  part of a global research project that also included the US, Germany, France, Australia, and for the first time this year, Italy and India.

Cost per record breached
The data breach cost figures were based on an analysis of data breaches that took place at 36 UK organisations in 11 different industry sectors, and included the cost of detection, escalation and notification of the breach, plus any drop in business that could be attributed to the breach.

The Ponemon data breach report showed the cost of handling a breach can vary widely among industry sectors. The most expensive breaches by far occurred in the pharmaceutical sector, where the cost was £120 per record, followed by financial services, at £103.

Total cost of a breach
However, the report showed that overall costs of a data breach are down on previous years, partly because fewer records had been breached, and also because organisations seemed better prepared to manage a breach when it occurred. The average total cost of a breach fell slightly from £1.9 million in 2010 to £1.75 million in 2011.

In addition, customers appear to be more forgiving and are prepared to continue dealing with companies even after a breach. The average cost of lost business fell from a 3.3% reduction in business in 2010, and a 2.9% drop in 2011. However, this was not true for all sectors, and higher rates of churn were noted in finance and pharmaceuticals, helping to push up their overall breach costs. At the other end of the scale, retailers registered little customer churn as a result of a breach.

Handling breaches to reduce costs
The study found companies that had appointed a CISO tended to be more efficient in taking corrective measures, and this reduced the cost of a breach by £18 per record. Using an external consultant to help manage an incident also reduced the cost per record lost.

Mike Jones, senior product marketing manager for Symantec EMEA, based in South Africa, said many companies are now much better organised to handle a serious breach, having learned the lessons of two or three years ago when breaches started making the headlines on a regular basis.

Jones said to effectively reduce the cost per record lost, a company must appoint someone to be responsible for its data protection effort.

“The true knowledge about what information is critical is not held in IT," Jones said, "and so you need someone who can deal with individual departments in an organisation and identify the business impact of a breach.”

Read more on Data breach incident management and recovery