Cost of UK data breach rises for sixth year running
Average direct and indirect costs associated with a data breach was £2.04m among 38 UK firms examined in global study
The average per-capita cost of a data breach among UK firms has risen for a sixth consecutive year, a study by Symantec and Ponemon Institute has found.
According to the duo's 2013 Cost of Data Breach Study, the average cost per lost or stolen record rose to £86 in 2012, compared with £79 in 2011, £71 in 2010, £64 in 2009, £60 in 2008 and £47 in 2007 - the first year the UK was included in the study.
Conducted globally, the study examined the direct and indirect costs incurred by 277 companies in the US, UK, Germany, France, Australia, Italy, Japan and Brazil after they experienced the loss or theft of protected personal data.
Some 38 UK companies in 12 industry sectors were included in the study.
The report examines both business costs - including expense outlays for detection, escalation, notification and response - as well as the economic impact of lost or diminished customer trust and confidence, based on customer churn.
Ponemon said the UK data was based on cost estimates provided by more than 300 individuals interviewed over a 10-month period.
The average number of breached records for the 38 UK incidents was 23,833. This meant that the average organisational cost of a breach in the UK also rose, hitting £2.04m, compared with £1.75m in 2011 and £1.42m in 2007.
Human factor was found to be the main cause, although malicious or criminal attacks were more costly, the study found.
Thirty-seven per cent of breaches involved negligent employees or contractors, with malicious or criminal attacks behind just 34 per cent of incidents. Breaches caused by the latter, however, carried an average cost of £102 per capita, compared with £76 for breaches caused by human error and £79 for breaches caused by system or business-process failures.
Lost business costs - costs stemming from abnormal customer turnover - rose to £921,000 per firm, compared with £779,000 in 2011.
Organisations with a formal incident response plan in place prior to the incident saw their cost per record reduced by £13, Ponemon said.
Mike Smart, product and solutions manager at Symantec, said: "With more than a third of UK data breaches involving negligent employees or contractors the ‘human factor' is still the weakest link, and so training and awareness should be a priority from the offset.
"But here in the UK it seems that malicious attacks are becoming nearly as big a problem. Not only have more data breaches been down to malicious attacks, but when it does happen, it is far more costly."
While the study noted that the UK has established consumer protection laws - the Information Commissioner's Office currently has the power to fine organisations up to £500,000 for failing to prevent a data breach - the average cost of a breach was much higher among US and German firms studied ($5.4m and $4.8m respectively).