Home > Risk > Study assesses the cost of a data breach

Study assesses the cost of a data breach

November 10, 2011 Leave a comment Go to comments

A new study by Ponemon Institute, sponsored by Experian, has some interesting observations. It is unclear what level of executive responded to their survey, although they said they were all at least managers, 40% report to the C-suite, and 26% are direct reports to the head of marketing or similar.

The interesting ‘bits’ include:

  • The hit to the corporate brand value was $180m to $334m (between 17% and 31% of total brand value).
  • As a percentage of their organizations’ annual gross revenues, the economic value of reputation and brand ranged from less than 10 percent to greater than 5X.
  • In some cases it could take longer than a year to recover and restore reputation and brand image.
  • When asked to rank the information if lost or stolen would result in a diminished reputation or image respondents say customer information would be most devastating. This is followed by confidential financial business information and confidential non-financial business information.
  • The average diminished value of the brand as a direct result of losing:
    • 100,000 customer records: 21%.
    • 100,000 employee records: 12%.
    • Trade secrets, new product designs, source code or strategic plans: 18%.
  • 82 percent of organizations had a data breach involving sensitive or confidential information. On average, they had 2.7 breaches in the past 2 years. Fifty-three percent say the data breaches had a moderate impact on reputation and brand image and 23 percent say it was significant. It is interesting to note that before having a data breach less than half had an incident response plan for customer data breaches in place. However, after the breach 76 percent say their organization put an incident plan in place.
  • Data breaches involving confidential employee information are less frequent than data breaches involving confidential customer information. Less than half (46 percent) of organization in this study had a data breach involving the loss or theft of sensitive or confidential employee information. On average, organizations reporting such breaches had 1.5 in the past two years. Only 23 percent say such a breach had a moderate or significant impact on their organization’s reputation and brand image. While one-third say their organization had an incident response plan in place before the breach, 54 percent say they had such a plan in place following the breach.
  • Most organizations have had a data breach involving the theft of sensitive or confidential business information. On average these have occurred 2.9 times in these organizations. It is interesting to note that of all types of breaches, the theft or loss of confidential financial information experienced by these organizations seemed to have the most significant impact. Forty-six percent say the impact was moderate and 29 percent say it was significant. Prior to having such a breach, 57 percent had an incident plan in place. However, after such an incident 80 percent say they put a plan in place.
I find this interesting and wonder whether Information Security officers have prioritized their efforts in a similar fashion.
This week, I was at an ISACA event in San Francisco and information security practitioners were reporting that information security budgets are falling behind the risk. “They are the first to be cut”.
What is your experience?
  1. November 11, 2011 at 5:13 AM

    Hello Norman,
    Thank you for this post. Do you have a link to the complete study?
    Nicole

  2. Norman Marks
    November 11, 2011 at 6:47 AM

    Hi, I have added a link to the study in the first line. Thanks for pointing this out Nicole.

  3. Norman Marks
    November 11, 2011 at 3:53 PM

    I realize the link is to the executive summary. I have not seen the detail. Sorry.

  4. KevinB
    November 15, 2011 at 7:40 AM

    Very interesting! Thank you for this article.
    Kevin

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: