Hostile attacks reign as the most expensive data breach for UK organisations. The 2010 study found that malicious or criminal attacks accounted for 29 percent of all data breaches, increasing from 22 percent over 2009. When information is compromised in this way, costs are at their highest, at an average of £80 per record, up £4 on 2009. The expenses associated with a data breach range from detection, escalation, notification, and customer churn due to diminished trust.

Key findings from the study include:

• System failure overtook the insider as the most common threat. In this year’s study, 37 percent of all cases involved a system failure, up 7 per cent on 2009 and accounts for the biggest rise of any data breach attribute. It replaced negligence, which at 34 percent dropped 11 points. Lost or stolen devices and third-party mistakes each fell slightly. Malicious or criminal attacks rose 5 points to 29 percent.
• Recognition of the risk of insecure mobile devices connecting to company networks jumps to 64 per cent. The likelihood of insecure mobile devices including smartphones and tablet computers accessing company data is 84 percent – an increase of 9 percent on 2009. Organisations are recognising this risk with 64 percent stating mobile device encryption was very important or important, an increase of 13 points from 2009.
• Lost business ranked as the biggest contributor to overall data breach costs. Recovering customers, profits and business opportunities after data breaches posed the greatest cost hurdles for companies in 2010. Lost business accounted for 48 percent of the total, an increase of 2 percent from 2009. Other contributing factors were costs sustained in the immediate aftermath of the event, such as resetting accounts and communicating with customers (known as ex-post response) at 23 percent and costs related to detection / escalation at 20 percent.
• Encryption and other technologies are gaining ground as post-breach remedies, with strengthening perimeter controls coming in third place. 75 percent of respondents use endpoint security solutions after data breaches; this is up significantly from 59 percent in 2009. Encryption is the second most implemented preventive measure as a result of a data breach, with 70 percent. Strengthening perimeter controls came in at 69 percent.
• Breaches involving third-party mistakes became a lower concern. Data breaches from third-party mistakes decreased marginally in 2010 to 34 percent, down 2 points. The cost of such breaches fell as well, down £7 (9 percent) to £74 per record. The drop may indicate that whilst the security of outsourced data remains important, those breaches became a lower priority in 2010.
• Responding rapidly to data breaches costs companies slightly more than if they take one month or longer. Quick responders (companies that notify victims within one month) had a per record cost of £72. The equivalent cost for companies that take longer than a month was £1 less per record (£71). This is a reversal from last year when faster companies benefitted from 19 percent less costs by reporting earlier. Regulatory compliance pressures may explain these factors, as The Information Commissioner’s Office (ICO) received new enforcement powers in 2010, encouraging a more serious approach to compliance in order to avoid heavy fines.