An annual survey by the Ponemon Institute and Symantec found that 71% of UK organisations have suffered a data breach in the last 12 months, while the average cost of that breach – excluding any associated regulatory fines – is £1.7m.
Recent news that the information Commissioner’s Office (ICO) now has the power to fine companies up to £500,000 for breaching the Data Protection Act has helped focus the minds of organisations on the issue of data loss and its prevention, however.
The survey took in 1,000 senior IT and business managers from 15 different industries, including financial services, public sector, consumer products and retail and healthcare, in the UK, France, Germany, and Australia.
It found that encryption was the technology with the largest increase in earmarked budget. When asked why companies were looking to invest in this area, mitigation of data breaches was cited by 40% of those questioned, and complying with privacy or data security regulations and requirements, at 39%. These figures increased from 30 and 35% in 2009 respectively.
Asked whether he was surprised that the ICO has so far not exercised its new powers to levy fines as high as £500,000 – it fined recruitment agency A4e just £60,000 for the loss of a laptop recently – Jamie Cowper, principal product marketing manager for encryption and data loss prevention, Symantec told CBR: "The cost of such breaches is not just about the fines from regulators but the organisational cost, the lack of trust, brand and reputation."
Cowper noted that the average cost of a UK breach is £1.7m even though that does not include any regulatory fines that may be incurred. But he conceded that, "On the face of it the Financial Services Authority [FSA] is a tougher regulator [than the ICO] in this area, undoubtedly."
The FSA fined Nationwide almost £1m for the loss of an unencrypted laptop in 2006, though the Nationwide insisted that it did not put any customer data at risk of identity fraud.
On the plus side the latest survey found that understanding of the risks is increasing, and that the UK faired slightly better than the rest of the world, with 71% of UK organisations confessing to at least one breach in the last 12 months compared to 88% of organisations worldwide.
"Given that tough new data protection regulations mandate the use of encryption as a hedge against data breaches, enterprises are under increased pressure to invest in these technologies in order to comply," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "A string of high-profile cases involving the loss, theft and misuse of data by government agencies and businesses in the UK has driven the Government to make improving cybersecurity – and particularly protection of personal information and national cyber infrastructure and sensitive data – a national priority."
In this year’s study, 53% of UK organisations had fully executed or just launched data encryption technology, while 47% were in the process of implementing data encryption programmes. As analysts note and Cowper conceded, the challenge cannot be solved with technology alone but with a more holistic approach to people, process and technology in the area of data management.
Even then, Cowper agreed that far more can be done to halt mistakes by a ‘well-meaning insider’ than can be done to stop a ‘malicious insider’ with access to sensitive data.
"The actions of a malicious insider can usually be discovered and logged, but not always prevented from occurring in the first place," Cowper said. "Companies can mitigate the risk by reining back access to those that do not absolutely need it, and looking at not just encryption but data loss prevention, device control, people and process in the round. More and more companies in this survey realised the risk of simply doing things as they have been – the old way."
"Most of these companies are starting to understand that they haven’t got a laptop problem or a USB stick problem, they’ve got a data problem," said Cowper.
You may wish to follow this author on twitter: www.twitter.com/jasonstamper