IT incompetence close to defeating malice

While hackers get all the headlines for security breaches this is close to being swamped by a rising tide of incompetence.

According to the Cost of Data Breach report by Ponemon Institute, 37 percent of security breaches stem from malicious attacks.

But more than 35 percent were caused by human error or negligence on the part of an employee or contractor. The system going tits up was responsible for only 29 percent of problems.

The way we read it is that if systems administrators do not allow users near their machines they can save themselves a third of downtime. If they unplug them from the internet too, then their computer systems will generate a serious security breach only 29 percent of the time. Of course we could have got this wrong.

Once a system crashes due to a security breach, it costs about $188 per exposed record in cleanup costs.

The report, which was sponsored by Symantec, is based on surveys of 277 businesses across nine countries.

The study found that each data breach cost US businesses, on average, $5.4 million in 2012, down slightly from $5.5 million in 2011.

Germany is second after the US with a total cleanup cost of $4.8 million, spend more tidying up each breach. In Brazil it only costs $58, and India $42.

Larry Ponemon, chairman of the Ponemon Institute, said in a statement that in eight years of research on data breach costs has shown employee behaviour to be one of the most pressing issues facing organisations today, up 22 percent since the first survey.

Although intentional attacks were the leading data breach culprit in Germany, human error was most often to blame in Brazil, while the leading reported cause of breaches at Indian businesses was traced to system glitches or business process failures.

Industries with the worst breach costs were healthcare, with $233 per exposed record, financial services with $215, and pharmaceuticals which cost $207.

Healthcare and financial services industries reported that the greatest cost associated with a data breach was lost business.