Ponemon - Smaller breaches likely; consultants a risk?

Ponemon - Smaller breaches likely; consultants a risk?
Ponemon - Smaller breaches likely; consultants a risk?

The latest annual data breaches report from the Ponemon Institute says that the probability of a company being hit by a small breach (less than 10,000 records) is far greater than a major problem occurring - defined as a breach of more than 100,000 records – and surprisingly, includes engagement of consultants as a risk factor.

For the report, the research group took in responses from 314 companies spanning 10 countries, including the UK and the US - all the organisations polled had been hit by a data breach ranging from a low of approximately 2,415 to slightly more than 100,000 compromised records.

The study defines a compromised record as one that identifies the individual whose information has been lost or stolen in a data breach.

Delving into the analysis, the ninth annual report Ponemon on the topic reveals that a strong security posture results in the greatest decrease in the cost of data breach.

Other `positive'  factors include effective incident response planning, business continuity management and a CISO with enterprise-wide responsibility - all of which help to decrease the per capita cost of data breach.

Factors that increase the risk – and the per capita cost  - of a data breach, include lost or stolen devices, third party involvement in the incident, rapid notifications and engagement of consultants.

Sarb Sembhi, an analyst and director of consulting with Incoming Thought, told SCMagazineUK.com that - whilst he agreed the logic behind the decreasing factors - he was a little puzzled by the `increasing' risk factors, most notably the rapid notifications and engaging consultants in the remediation process.

"This is the first report of its type that looks at these factors, but I would have thought that engaging a third-party consultant to advise on a breach would actually help the organisation to reduce the costs, particularly in the remediation process," he explained.

The report observes that around a one-third of companies are incorporating cyber insurance as part of their risk management strategy. Out of the 32 percent of organisations polled in the research that have a cyber insurance policy to manage the risk of attacks and threats, 54 percent said they were satisfied with the coverage.

Sembhi - who is also a leading light in ISACA, the not-for-profit IT security association - said it is interesting to note that respondents to the report thought that the insurance company would not pay out in the event of a data breach.

"The 32 percent of companies with insurance is also lower than 50 percent logged in the recent PwC data breaches report," he said, adding he is seeing more organisations considering cyber security insurance as part of their overall IT security strategy.

The report - which is sponsored by IBM this year - also revealed that the average total cost of a data breach has increased.

Compared to last June's analysis, the average total cost of a data breach has increased 15 percent to around £2.1 million, with the average (direct plus indirect) costs of a single lost or stolen record reaching £90 – up from £85 in last year's report.

Sign up to our newsletters