March 08, 2011, 1:55 PM — The most recent, most authoritative annual estimate of the cost of data breaches brings with it great news for CIOs trying to justify increased security budgets and IT pros hoping for big raises or new jobs.
The cost of the average data breach was $7.2 million last year, up from $6.8 million in 2009.
The average cost per-compromised-record went up five percent, to $214.
That's good enough for the-sky-is-falling alarmist budget justifications, but two other points make it even better: Organizations with CIOs had much lower costs than those without, and companies that had never had a data breach before had the highest costs of anyone in the study -- $348 per record.
That's an increase of 48 percent from the year before for the one company in five with a previously spotless record.
The bad news in Ponemon Institute's 2010 Annual Study: U.S. Cost of a Data Breach is that negligence is still the biggest cause of data breaches -- 41 percent -- compared to the No. 2 cause, "malicious or criminal attacks," which caused 31 percent of breaches.
Negligence isn't a sexy problem to try to fix, or one that will boost an IT security budget much.
It also won't justify the kind of IT-focused approach most companies take to security, largely because putting in a new system that will keep information from leaking is a lot simpler than figuring out how to teach all those gossipy, sloppy, unstructured-data-soaked masses in UserLand how not to give away the store with every email to a customer or personal friend.
(System failures, btw, are the No. 3 cause of data breaches.)
Tightening up IT systems and hiring lots of Black Hat veterans wouldn't have saved Massachusetts General Hospital more than $1 million in fines after an employee who took work home left a pile of HIPAA-protected files sitting on a subway seat in 2009.
They might have stopped an employee being fired from the San Francisco Human Services Agency from emailing case files with the private data of clients to her personal computer to help with a wrongful-termination case.
Probably not, though, because most security spending is on things designed to keep bad guys out, not keep good guys from slipping data under the door.