System failure has overtaken the insider as the most common threat in terms of data loss.
According to a study by Symantec and the Ponemon Institute, 37 per cent of all data loss cases involved a system failure, up seven per cent on 2009. This statistic replaced negligence and lost devices, as well as third-party mistakes. Malicious or criminal attacks however rose five points to 29 per cent of all breaches.
Robert Mol, director of product marketing for EMEA at Symantec, claimed that the fact that system failure was the highest factor was interesting to see. “As complexity increases in the infrastructure, you find more vulnerabilities in the space that are attacked by outsiders as security measures are not put in place,” he said.
“A big topic of this research is negligence, the loss of devices with more and more confidential data is stored on them. Often negligence is well-meaning and not intentional and that is the difference between a system failure and an unintentional loss.”
The report also found that the average data breach incident cost UK organisations £1.9 million in 2010, an increase of 13 per cent on 2009 and 18 per cent from 2008.
A key finding was that breaches involving third-party mistakes declined to 34 per cent from 36 per cent last year. The cost of such breaches fell, down £7 (9 per cent) to £74 per record.
Mol said: “This is related to the implementation of compliance tools where technology enables a third party to access information. A better policy is making sure that the company is focussed on the security threat of a third party coming in and how certain policies can be adapted for what can be accessed and what cannot.
“The study shows how companies with information protection best practices in place can greatly lower their potential data breach costs. Information-savvy organisations are protecting the data itself wherever it is stored or used, and also creating a culture of security including training, policies and actions.”
Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, said: “We continue to see an increase in the costs to businesses suffering a data breach. Regulators are cracking down to ensure organisations implement required data security controls or face harsher penalties.
“Confronted with both malicious and non-malicious threats from inside and outside the organisation, companies must proactively implement policies and technologies to mitigate the risk of costly breaches.”
Chris Jenkins, security business manager at Dimension Data UK, said: “Traditionally risks from data leakage have been hard to quantify and a business case for investment in security measures has consequently been difficult to build, even though the will may be present in the IT department.
“Now there are many public examples of the damaging effects of data leakage incidents that businesses can draw on to help build the case for investment in data loss prevention (DLP).
“DLP is not a one-size fits all solution. Businesses need to gain a comprehensive view of their security posture and weigh this against their appetite to risk, before deciding what DLP is necessary to lower risk to an acceptable level. At the least, even if they don't go on to make any new investments, this proactive approach will help them prepare for the consequences of a damaging data leak. At best, it will greatly reduce their risk of having a data leak and, if one does occur, the fallout from it and the resulting costs.”
Mol said: “It is never good to implement technologies after the event and great awareness of the threat will remind companies that they need to follow and assess their risks and classify what confidential data they have, where it is and who has access to it.”