Data breaches cost an average business £1.4m

Information leaks cost businesses in the UK an average of £1.4m each in 2007, according to a study by privacy researchers from the Ponemon Institute, commissioned by security company Symantec and encryption company PGP Corporation.

In a report, released on Monday, the researchers received responses from 21 UK-based companies who had suffered information breaches in 2007. Public-sector organisations were not included in the survey, entitled 2007 Annual Study: UK Cost of a Data Breach, which focused mainly on financial institutions.

In the study the average total cost per company for a data breach was more than £1.4m per breach, and ranged from £84,000 to almost £3.8m. Breaches included in the survey ranged from fewer than 2,500 records to more than 125,000 records lost, from eight different industry sectors. The average cost of a lost record was estimated at £47.

The researchers found that the cost of lost business was the most significant component of data breach costs, accounting for 46 percent of the total expense. Lost business was calculated by studying "customer churn", or customer turnover rates. The researchers found that businesses experienced "abnormal customer churn" — higher customer turnover — as a result of a data breach. This lowered revenues, while more had to be spent on marketing to counter adverse publicity and try to attract new customers.

The main cause of data breaches was the loss of laptops or other devices, accounting for 36 percent of breaches; followed by lost paper records, at 24 percent.

Guy Bunker, chief scientist for Symantec in the UK, told ZDNet.co.uk that laptops and other portable media were lost mainly through human error, and that encryption could mitigate data loss.

"Most laptops carry information of a sensitive nature," said Bunker. "If that information is encrypted you don't have to worry in the same way."

Paper records were lost as information was not tracked in as efficient a way as electronic data, said Bunker.

"If you think back, in the last eight to 10 years there have been cases of sets of records found in a skip — the real issue is what to do about disposal," said Bunker. "If you outsource disposal, records are shredded offsite. People don't keep track of paper records."

According to the study, malicious code accounted for just three percent of breaches, while hacked systems accounted for six percent. Malicious insiders also only accounted for three percent of breaches.

Bunker said businesses could use these figures to look at their own organisations to identify processes and procedures to make more secure.

"It's less likely to be insider stuff," said Bunker. "The vast majority of breaches occur because of processes and procedures, so companies should cover those off first, then start looking at whether a malicious or insider piece could be going on."

The study found that 38 percent of the breaches were down to third parties, while 62 percent were down to insiders — the vast majority of which caused by human error.

"Companies need to look at the information security policies of partners or suppliers," said Bunker. "Ask them about their information security and privacy policies. If they look at you blankly perhaps it's time to look at other suppliers. Look at the chain of their outsourcers in turn — perhaps one of their suppliers has lost information."