Why data breach costs are really going down

A new study by Telus Corp. reveals that while Canadian organizations reported 29 per cent more data breaches in 2010 versus the previous year, the annual cost of these security issues has dropped substantially.

The telecom giant’s report, which polled 500 business and IT professionals, was part of a joint study with the University of Toronto’s Rotman School of Management. The report found that breaches were up almost 30 per cent year-over-year, largely because of a doubling in reported incidents at government agencies.

Yogen Appalraju, vice-president of Telus’ security solutions division, said better detection and protection technologies have not only led to more reporting across the board, but also to better containment techniques. This, he said, starts to explain why reported breaches have jumped 30 per cent in 2010, while breach costs dropped from an average of $834,000 in 2009 to $179,508 in 2010.

Appalraju added, however, that targeted attacks have been on the rise during the same period, which might be contributing to the underreporting of data breach losses at some firms.

“In a lot of cases, organizations might not know that they’ve been breached for a long time,” he said.

For Walid Hejazi, professor of business economics at Rotman, the massive 78 per cent decrease in breach costs underscores a drastic change in the way hackers and cyber criminals are going about their trade.

“They’re not trying to bring down the network anymore,” he said.

Increasingly, criminals are targeting organizations and employees that can give them sensitive data that can be sold or repurposed for financial gain.

Hejazi said enterprises often felt a huge financial hit anytime their network and IT infrastructure was attacked. But when attackers target credit card data instead, the data breach costs are being felt amongst customers.

In cases where attackers are targeting intellectual property or sales leads, he added, an organization often is unaware that they’ve lost their competitive advantage and fail to report any data breach costs.

As for the state of IT security teams, the Telus survey found that organizations decreased the size of security staff in 2010 much more than the previous year. In 2010, 50 per cent of responding organizations reported security teams of one to five staff members compared with 12 per cent reporting teams of six to 10 staff members.

One of the biggest issues these smaller security teams have been tasked with, Telus said, is the job of controlling social networking access. But the study found that even though one in four responding Canadian organizations actively blocked access to social networking sites for security reasons, these companies do not experience any improvement in security.

According to Hejazi, some organizations that block access to social networking sites actually bring productivity and security issues upon themselves as employees spend valuable time trying to circumvent the block or surf the sites through their mobile devices.

He said organizations should ideally allow social networking access and put into place extensive education programs to ensure that employees know how to use the sites responsibly. And that doesn’t mean just telling your employees to “go on Facebook and be careful,” Hejazi said.

He added that employees should be advised that even a few unrelated Facebook or Twitter messages at the wrong time may lead to negative consequences.

“Especially in the financial sector, the fact that you’re talking on Facebook about nothing can send a signal to a lot of signals to your competitors,” Hejazi said.

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now