Report: Data breaches cost UK firms an average of £1.75m in 2011

Symantec research reveals a small drop in the average cost of a breach

The average cost to UK organisations for data breach incidents has declined from £1.9m in 2010 to £1.75m in 2011, according to a report from security firm Symantec.

The decline suggests that organisations have improved their performance in preparing for and responding to a data breach, and that this has resulted in fewer records being lost in these breaches.

The findings come from a report entitled The 2011 Annual Study: UK Cost of Data Breach 2011, which examines a range of business costs and analyses the economic impact of lost or diminished customer trust by customer turnover.

"We're noticing that companies at risk of data loss are becoming wise to the financial impact of a data breach. These businesses are implementing steps, not just to prevent loss but to mitigate the damage, should a breach occur," said Mike Jones, senior product marketing manager at Symantec.

"It's not just direct costs such as fines from the Information Commissioner's Office (ICO) that need to be considered, although these help to drive the business case for preventative measures, but also indirect costs such as brand impact and disappointed customers leaving the brand."

Although the organisational cost of data breaches has decreased for the fifth consecutive year, the cost per lost or stolen record has increased.

The average cost per record for organisations participating in the study increased from £71 in 2010 to £79 in 2011. Some £37 of this consists of indirect costs such as lost business, reputational damage or churn of existing customers.

The study also found that the main cause of a data breach is negligent employees or contractors, who accounted for 36 per cent of all data breaches.

The most costly attacks are malicious or criminal attacks. These have increased from 29 per cent in 2010 to 31 per cent in 2011.

The remaining 33 per cent of cases involved system glitches, including a combination of both IT and business process failures.

"Accordingly, organisations need to focus on processes, policies and technologies that address threats from the malicious insider or hacker," the report reads.

Some 64 per cent of the victims of malicious or criminal attacks said that these were found to be viruses, malware, worms or trojans.

Nearly a third (31 per cent) of all the organisations said that their data breach incident involved one or more lost or stolen data-bearing devices, such as laptops, tablets, smartphones and servers.

Jones warned businesses not to be complacent as it may affect their profits in the long term.

"We've shifted to an age where data breaches are now just a common occurrence. As such, UK consumers have become somewhat desensitised to data losses, but that doesn't mean that businesses should become complacent," he said.

"The cost of data loss still remains high and, in tighter economic times, even a single digit increase in customer churn can be terminal to profitability."