The Ponemon Report, 2008 Annual Study: Cost of a Data Breach, also revealed that data breaches as a result of outsourced functions had increased over previous years, and that first-time victims suffered greater costs than those that had already experienced a breach. The per-victim cost of a data breach was $243, compared to $192 for those who had suffered breaches in the past.
The 69% of data breach costs stemming from lost business was reflected in an increase in the average customer churn rate suffered by companies that were victims of data loss. The 2008 churn rate was 3.6%, up from 2.67% last year. The healthcare industry was the most affected, with a 6.5% churn rate, followed by finance at 5.5%.
The percentage of breaches down to third-party organisations such as contractors, customers, and outsourcers increased to 44% in 2008, over 40% in 2007, and 29% in 2006.
"You not only have to deal with the systems and processes and people within your own four walls, but you must also get a third party whom you have no control over to change their systems, too," said John Dasher, product development manager at PGP, which sponsored the report. "As news of these breaches gets out, it will educate people that they need to ensure that the people with whom they're doing business have a security policy that's in line with their own."
Training and awareness programmes were the most commonly implemented measures in the wake of a data breach, followed by additional manual procedures and controls, expanded use of encryption, and identity and access management systems. The least common post-breach measure was the strengthening of perimeter controls (perhaps unsurprising given the rise in the percentage of third party breaches). What was surprising was the relatively low number of organisations implementing data loss protection measures after suffering from a breach. Just 37% of companies took this approach.
"We've always advocated that corporations need to take a step backward and look at the lifecycle of their data," said Dasher. "Developing that sort of a view is the only coherent way of coming up with a strategy for data protection."
The survey examined the experiences of 43 US companies across 17 different sectors that had suffered from data losses.