Press the panic button as soon as you find evidence customer data has
been compromised, and you'll pay the price
Once a data breach is discovered, the best response is to spring into
action and notify customers as fast as humanly possible, right? Well,
not really.
A brand-new Ponemon Institute study [PDF] sponsored by Symantec finds
that data breach victims often move too quickly, wasting lots of money
and losing customers unnecessarily.
According to Ponemon's "Annual Study: U.S. Costs of a Data Breach,"
companies that respond to data breaches by immediately notifying their
users end up spending 54 percent more per record than companies that
move more slowly. Forty-three percent of surveyed companies notified
customers within one month of discovering the breach, but these
companies ended up with per record costs of $268, up 22 percent from
2009. Companies that took longer than a month spent only $174 per
record, down 11 percent from 2009.
What's the explanation? It turns out that many companies tend to panic
when they find a data breach, thanks to fears about lawsuits,
regulatory fines, and bad publicity, and thus are not as prepared with
the forensic tools and strategies as they should be. Their gut
reaction is to get notification over with as fast as possible, so they
end up notifying an excess of customers, including many of those who
are unaffected by the breach. As a result, they end up shooting
themselves in the foot. The biggest cost of data breaches is customer
churn, according to the study, and many of these companies end up
losing lots of customers that they didn't need to notify.
According to Ponemon, companies that take a more surgical approach and
spend the time on forensics to detect which customers are actually at
risk and require notification ultimately spend less on data breaches.
The study reported other findings on the state of network security:
Malicious or criminal attacks are the most expensive and are on the
rise. In this year's study, 31 percent of all cases involved a
malicious or criminal act, up seven points from 2009, and averaged
$318 per record, up 43 percent from 2009.
In addition:
The cost of breaches by third-party outsourcers rose significantly, up
$85 (39 percent) to $302 per record. These figures may indicate that
compliance with government and commercial regulations for data
protection are dramatically raising breach costs involving outsourced
data.
The moral, as always, is be prepared. Have a strategy and tools in
place to do the proper forensics, know your exact compliance
requirements, and move quickly but cautiously to notify only those
customers that are affected directly. In other words: Don't panic!
No comments:
Post a Comment