Cost of hack attacks soars

There has been a sharp rise in the financial impact of hack attacks, with new estimates putting the average cost of a data breach at $182 per compromised record.

The figures, published in 'Ponemon 2006 Annual Study: Cost of a Data Breach', represent a 31 per cent increase over 2005. Analyst firm the Ponemon Institute analysed 31 different incidents for the study, which found that total costs for each hack attack ranged from less than $1m to more than $22m.

The research, which was co-sponsored by the PGP Corporation, and Vontu, tracks a wide range of cost factors, including legal, investigative, and administrative expenses, as well as stock performance, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions.

"The burden companies must bear as a result of a data breach are significant, making a strong case for more strategic investments in preventative measures such as encryption and data loss prevention," said Dr Larry Ponemon, chairman and founder of The Ponemon Institute.

"Tough laws and intense public scrutiny mean the consequences of poor security are steep – and growing steeper for companies entrusted with managing stores of consumer data."

"Once again, the Ponemon survey illuminates the high costs companies will incur for failing to protecting their customers' data," added Andrew Krcik, vice president of marketing for PGP Corporation.

"The report shows companies must spend prodigiously to recover from data breaches. In fact, 72 per cent of respondents indicated that the cause of the data breach was because digital information was not properly protected."

A separate report recently issued by Vontu and The Ponemon Institute, 'US Survey: Confidential Data At Risk', claims that companies do not have adequate controls over the storage of sensitive or confidential data at rest. In that study, 81 per cent of respondents reported that their organisations have experienced one or more lost or missing laptop computers that contained sensitive or confidential business information in the past 12-month period.