Human error causes most data breaches, Ponemon study finds

Human errors and system problems caused two-thirds of data breaches in 2012, according to a study from Symantec and the Ponemon Institute

Human errors and system problems caused two-thirds of data breaches in 2012, according to the latest Cost of Data Breach Study by Symantec and the Ponemon Institute.

Issues include employees mishandling confidential data, lack of system controls and violations of industry and government regulations.

The eighth annual global report is based on data breaches at 277 companies in the UK and eight other countries.

The individual country data shows UK companies are nearly as likely to be targeted by a criminal as they are to be hit by a data breach caused by human error.

“Eight years of research on data breach costs has shown employee behaviour to be one of the most pressing issues, up 22% since the first survey,” said Larry Ponemon, chairman of the Ponemon Institute.

Cost of breaches

However, the study found that breaches caused by a malicious or criminal attack are the most costly, with a cost of £102 per record, compared with £78 on average for incidents involving employee error.

The current global average cost of data breaches stands at £89, with heavily regulated fields including healthcare, finance and pharmaceutical incurring breach costs 70% higher than other industries.

In this year’s study, the average cost of a UK data breach increased from £79 to £86 per record.  

Read more about incident response

  • Government launches cyber incident response scheme
  • Security incident response below par at most firms, says Guidance Software
  • Security incident response below par at most firms, says Guidance Software
  • UK data breaches largely hidden, says Stroz Friedberg
  • How to comply with updated NIST incident response guidelines
  • Developing an incident response plan of attack in the data age
  • Incident response template for effective incident response planning

How to reduce costs

While the cost of a breach continues to rise, companies that have appointed a chief information security officer (CISO) with enterprise-wide responsibilities have lowered the cost of breaches slightly.

A similar strategy in the US has proved successful, especially when combined with a comprehensive incident response plan and stronger overall security programmes.“Given organisations with strong security postures and incident response plans experienced breach costs 20% less than others, the importance of a well-coordinated, holistic approach is clear,” said Anil Chakravarthy, executive vice-president of the Information Security Group, Symantec.

In the UK, the average cost of a data breach for organisations with a formal incident response plan in place prior to the incident was reduced to as much as £13 per compromised record.

In addition, a strong security posture and the appointment of a CISO reduced the cost as much as £13 and £9 per compromised record, respectively.

The human factor

Mike Smart, product & solutions manager, Symantec, said that – with more than a third of UK data breaches involving negligent employees or contractors – the "human factor" is still the weakest link.

Download the UK study here:

2013 Cost of Data Breach Study: UK

“Consequently, training and awareness should be a priority from the offset,” Smart said.

However, he said malicious attacks have become nearly as big a problem, but they are more costly when they do occur.

Smart said that, in addition to educating and training employees on how to handle confidential information, the report shows it is equally important to have a proper incident response plan in place.

Read more on Data breach incident management and recovery

Data Center
Data Management