Your security mistakes could cost your clients even more
than those they make themselves, according to new results released today by the
Ponemon Institute in its fifth annual Cost of Data Breach study.
After surveying data breaches from around the world for its
2010 study, the research organization found that data breaches caused by third
parties such as channel partners cost client organizations $217 per record
versus the $194 per record cost of breaches caused by internal-only breaches.
The $21 difference likely stems from a number of additional difficulties in
coordination that crop up when third parties are involved, says Larry Ponemon,
chairman and founder of the Ponemon Institute.
"We find that, year in and year out, third-party mistakes are a major
cause of data breach," Ponemon says. "When third parties lose data,
it becomes more expensive, typically because the detection and escalation is
more difficult. Notification sometimes is haphazard when deciding who’s
responsible for what, and the ex-post response normally is a little bit more
complicated deciding who’s responsible for dealing with questions and
concerns."
Sponsored by PGP, the annual survey showed that the average cost of breaches
edged up again this year, from $202 to $204 per compromised record. The average
organizational cost rose from $6.65 million in the 2009 study to $6.75 million
in 2010.
According to the study, 42 percent of breaches were made up of those caused by
third-party mistakes, which include not only flubs by IT service providers, but
also by other solution partners such as payment card processors and other
acquirers of data.
Ponemon says that his research is showing that third-party data acquirers could
well be in the crosshairs of criminal attackers, who understand that they are
often not as well-protected as the organizations that actually own the data.
"We’ve also found that third parties in some cases had security
infrastructure that was not as comprehensive or not high as quality as the
company that was outsourcing to them," he says. "We especially saw
this with third parties offshore, and that could be an easy access point for
the malicious or criminal hackers. The bad guys knowing this might actually
look at the path of less resistance, and they may actually turn to third
parties more often as a result."
This could actually offer solution providers with a distinct security advantage
a big competitive differentiator if they play their cards right, Ponemon says.
"We’re starting to see third parties, especially companies in IT hosting,
IT operations and even cloud computing vendors, starting to sell their
customers and prospective customers on security," Ponemon says. "I
had not seen this before in my entire life, and I’ve been in security for like
35 years."