SYDNEY, Australia – March 29, 2012 – The average cost of a data breach reported by Australian organisations has risen steadily for the third consecutive year, reaching  $2.16 million in 2011, according to research released today by Symantec Corp. (NASDAQ: SYMC) and Ponemon Institute.  The study also found that malicious or criminal attacks were the most common cause of data breaches and the most expensive type of breach overall for Australian businesses. The 2011 Cost of Data Breach Study: Australia report is based on the actual data breach experiences of 22 Australian companies from ten different industry sectors.

“The large volume of data breach incidents occurring over the last year has put data breaches high on the agenda for Australian executives,” said Craig Scroggie, vice president and managing director, Pacific region, Symantec. “As local organisations embrace new technologies , businesses need to focus on processes, policies and technologies that  improve their ability to prevent and detect data breaches. Taking steps to keep customers loyal and repair any damage to reputation and brand after a data breach has occurred, can help to significantly reduce the cost of a data breach.”

Key findings:

• The cost of a data breach increased. The report revealed the cost per lost or stolen record and the total organisational cost of a data breach has increased in the past 12 months. In 2010, the cost was $128 and increased $10 (eight percent) to $138 in 2011. The average total organisational cost of data breach increased from $2 million in 2010 to $2.16 million in 2011. This increase suggests the need for organisations to improve their ability to respond to data breaches.
• Malicious and criminal attacks are the main causes of data breaches and are the most expensive. The survey revealed that 36 percent of data breaches were caused by malicious or criminal attacks in 2011. These were also the most expensive breaches with the highest per capita cost of $183 per record in 2011. Additional causes of data breaches were identified as individual negligence and system glitches, each accounting for 32 percent of local data breach incidents.  In comparison, in the US, 39 percent of organisations say negligent insiders were the root cause of the data breaches in the US.
• Lost or stolen devices are a common factor in local data breaches. Interestingly, the report found that lost or stolen devices were a common factor in local data breaches, impacting 32 percent of Australian respondents. Additionally, 36 percent of local respondents said that their data breaches involved mistakes by third parties including outsourcers, cloud providers and business partners.
• Lost business costs increased sharply. Lost business costs relating to reputational damage, diminished goodwill and increased customer acquisition activities, increased sharply. These costs rose by 22 percent from $690,000 in 2010 to $840,000 in 2011.
• Detection costs increase slightly while escalation costs remain consistent. Costs relating to the detection of data breaches increased by only five percent and notification costs remained about the same at $77,000 in 2010 and $76,000 in 2011. This is unsurprising given that Australia still lacks regulations requiring companies to notify their customers of a data breach.
• More customers remain loyal following the data breach. For the first time, fewer customers are abandoning companies that have a data breach. However, certain industries (e.g. technology and communications) are more susceptible to customer churn, which could cause their data breach costs to be higher than the average. Taking steps to keep customers loyal and repair any damage to reputation and brand can help reduce the cost of a data breach.
• Certain organisational factors reduce the overall cost. For businesses concerned about the financial impact of data breaches, the report identified three key strategies to manage costs. On average, organisations were able to reduce costs by $30 per record by responding to the breach within 30 days. Additionally, organisations with a CISO overseeing enterprise data protection saw the average cost per incident reduced by $35 per record. Finally, by engaging an external consultant to help remediate data breaches the cost can be reduced on average by a significant $45 per compromised record.

“While countries such as the US are experiencing a decrease in the cost of a data breach, Australia’s costs continue to rise. Despite a growing awareness of the financial impact of a data breach, Australian businesses continue to focus their efforts on mitigating the damage once a breach has occurred, rather than prevention.”

“Many data breach incidents still go unreported in Australia, leaving customers unaware that their personal information has been compromised. It is important that Australia fast tracks the adoption of data breach notification laws which encourage business to minimise the likelihood of a breach rather than focusing on the aftermath,” concluded Scroggie.

Best Practices to Avoid Data Breaches
Symantec recommends the following best practices to prevent data breaches:

1. Assess risks by identifying and classifying confidential information
2. Educate employees on information protection policies and procedures, then hold them accountable
3. Extend these policies to any third parties that manage customer information; conduct regular audits and monitoring
4. Deploy data loss prevention and endpoint security technologies that enable policy compliance and enforcement
5. Encrypt mobile devices, including laptops and smartphones, to minimise the consequences of a lost device
6. Integrate information-protection practices into businesses processes

Estimating the Cost of a Breach

The 2011 Cost of Data Breach Study: Australia report is based on the actual data breach experiences of 22 Australian companies from ten different industry sectors. It takes into account business costs, including expense outlays for detection, escalation, notification and after-the-fact response. The study also analyses the economic impact of lost or diminished customer trust as measured by customer churn or turnover rates. Results were not hypothetical; they represented estimates for costs resulting from actual data loss incidents.

Companies can analyse their own risk by visiting Symantec’s Data Breach Risk Calculator. Based on six years of trend data, the calculator takes into account an organisation’s size, industry, location and security practices to estimate how much a data breach would cost per record and in total.

Resources

• Australia Cost of a Data Breach Report
• Symantec’s Data Breach Risk Calculator
• Cost of a Data Breach Press Kit
• Blog Post: Insider Data Theft: When Good Employees Go Bad
• Infographic: Cost of a Data Breach
• SlideShare: Cost of a Data Breach
• Symantec’s Encryption Offerings
• Symantec’s Data Loss Prevention Offerings

Connect with Symantec

• Follow Symantec on Twitter
• Join Symantec on Facebook
• Subscribe to Symantec News RSS Feed
• View Symantec’s SlideShare Channel
• Visit Symantec Connect Business Community

About Ponemon Institute
Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organisations in a variety of industries.

About Symantec
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organisations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.