IT security study carries cynically great news for CIOs

CIOs, IT spending will address increasing cost of data breach

The most recent, most authoritative annual estimate of the cost of data breaches brings with it great news for CIOs trying to justify increased security budgets and IT pros hoping for big raises or new jobs.

The cost of the average data breach was $7.2 million last year, up from $6.8 million in 2009.

The average cost per-compromised-record went up five percent, to $214.

That's good enough for the-sky-is-falling alarmist budget justifications, but two other points make it even better: Organizations with CIOs had much lower costs than those without, and companies that had never had a data breach before had the highest costs of anyone in the study -- $348 per record.

That's an increase of 48 percent from the year before for the one company in five with a previously spotless record.

The bad news in Ponemon Institute's 2010 Annual Study: U.S. Cost of a Data Breach is that negligence is still the biggest cause of data breaches -- 41 percent -- compared to the No. 2 cause, "malicious or criminal attacks," which caused 31 percent of breaches.

Negligence isn't a sexy problem to try to fix, or one that will boost an IT security budget much.

It also won't justify the kind of IT-focused approach most companies take to security, largely because putting in a new system that will keep information from leaking is a lot simpler than figuring out how to teach all those gossipy, sloppy, unstructured-data-soaked masses in UserLand how not to give away the store with every email to a customer or personal friend.

(System failures, btw, are the No. 3 cause of data breaches.)

Tightening up IT systems and hiring lots of Black Hat veterans wouldn't have saved Massachusetts General Hospital more than $1 million in fines after an employee who took work home left a pile of HIPAA-protected files sitting on a subway seat in 2009.

They might have stopped an employee being fired from the San Francisco Human Services Agency from emailing case files with the private data of clients to her personal computer to help with a wrongful-termination case.

Probably not, though, because most security spending is on things designed to keep bad guys out, not keep good guys from slipping data under the door.

I have no doubt Ponemon's data is right, or that the trends noted in the report -- some initial reports of real risk in the cloud and a sharp rise in the mobile-security risks -- are accurate.

I also have great confidence most of the data will be used to justify spending on exactly the things they have been until now -- locking the door to hackers and improving compliance so top executives can show they're trying to be transparent and honest.

I have no confidence anyone will pay much attention to the top number, which shows simple sloppiness or not paying enough attention loses more data and more money for U.S. companies than any other security risk, and that the only way to address it is working with people, not just technology.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies