Channel Partners Could Cost Customers More in Data Breach IncidentsBy Ericka Chickowski | Posted 2010-01-25 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
The fact that data breaches caused by third parties cost client organizations more than in-house breaches could actually offer solution providers with a distinct security advantage a big competitive differentiator if they play their cards right, according to recent study by Ponemon.
Your security mistakes could cost your clients even more than those they make themselves, according to new results released today by the Ponemon Institute in its fifth annual Cost of Data Breach study.
After surveying data breaches from around the world for its
2010 study, the research organization found that data breaches caused by third
parties such as channel partners cost client organizations $217 per record
versus the $194 per record cost of breaches caused by internal-only breaches.
The $21 difference likely stems from a number of additional difficulties in coordination that crop up when third parties are involved, says Larry Ponemon, chairman and founder of the Ponemon Institute.
"We find that, year in and year out, third-party mistakes are a major cause of data breach," Ponemon says. "When third parties lose data, it becomes more expensive, typically because the detection and escalation is more difficult. Notification sometimes is haphazard when deciding who's responsible for what, and the ex-post response normally is a little bit more complicated deciding who's responsible for dealing with questions and concerns."
Sponsored by PGP, the annual survey showed that the average cost of breaches edged up again this year, from $202 to $204 per compromised record. The average organizational cost rose from $6.65 million in the 2009 study to $6.75 million in 2010.
According to the study, 42 percent of breaches were made up of those caused by third-party mistakes, which include not only flubs by IT service providers, but also by other solution partners such as payment card processors and other acquirers of data.
Ponemon says that his research is showing that third-party data acquirers could well be in the crosshairs of criminal attackers, who understand that they are often not as well-protected as the organizations that actually own the data.
"We've also found that third parties in some cases had security infrastructure that was not as comprehensive or not high as quality as the company that was outsourcing to them," he says. "We especially saw this with third parties offshore, and that could be an easy access point for the malicious or criminal hackers. The bad guys knowing this might actually look at the path of less resistance, and they may actually turn to third parties more often as a result."
This could actually offer solution providers with a distinct security advantage a big competitive differentiator if they play their cards right, Ponemon says.
"We're starting to see third parties, especially companies in IT hosting, IT operations and even cloud computing vendors, starting to sell their customers and prospective customers on security," Ponemon says. "I had not seen this before in my entire life, and I've been in security for like 35 years."