Cost of data breaches continues to rise

The average cost of data breaches on Australian organisations has risen for the third year in a row, reaching $2.16 million in 2011, according to a study from Symantec and the Ponemon Institute.

The study, based on the experiences of 22 Australian organisations that reported a data breach in 2011, found that the three major categories of data breach occurred in similar numbers: 36% of data breaches were caused by malicious or criminal attacks, while individual negligence and system glitches each accounted for 32% of data breach incidents.

“As local organisations embrace new technologies, businesses need to focus on processes, policies and technologies that improve their ability to prevent and detect data breaches,” said Craig Scroggie, Vice President and Managing Director, Pacific Region, Symantec.

“Taking steps to keep customers loyal and repair any damage to reputation and brand after a data breach has occurred can help to significantly reduce the cost of a data breach.”

The increase in the cost of a data breach in Australia conflicts with findings in the US, where the costs of data breaches are decreasing.

“While countries such as the US are experiencing a decrease in the cost of a data breach, Australia’s costs continue to rise,” Scroggie said. “Despite a growing awareness of the financial impact of a data breach, Australian businesses continue to focus their efforts on mitigating the damage once a breach has occurred, rather than prevention.

“Many data breach incidents still go unreported in Australia, leaving customers unaware that their personal information has been compromised. It is important that Australia fast tracks the adoption of data breach notification laws which encourage business to minimise the likelihood of a breach rather than focusing on the aftermath,” Scroggie said.

Symantec recommends the following best practices to prevent data breaches:

1. Assess risks by identifying and classifying confidential information.
2. Educate employees on information protection policies and procedures, then hold them accountable.
3. Extend these policies to any third parties that manage customer information; conduct regular audits and monitoring.
4. Deploy data loss prevention and endpoint security technologies that enable policy compliance and enforcement.
5. Encrypt mobile devices, including laptops and smartphones, to minimise the consequences of a lost device.
6. Integrate information-protection practices into businesses’ processes.