When most people consider the top causes of data breaches, we tend to focus on malicious attacks.
We imagine shadowy figures who launch malware and phishing emails, or who install backdoors and keystroke loggers, from a dark bunker far away.
But did you know that roughly half of data breaches may be caused by other problems – such as system glitches or human error?
The 2017 Cost of Data Breach Study from Ponemon Institute looks at the average total cost of data breaches at 419 organizations in 11 countries, and also the root causes of those breaches.
We dug into the data and found the insights below.
Cause #1. Malicious or Criminal Attacks
The root causes of data breaches are grouped into three categories in the Ponemon study – and “malicious or criminal attack” tops the list.
Accounting for almost half of the total, one might assume an organization is almost twice as likely to experience a data breach caused by a malicious or criminal attack rather than by human error.
Why do attackers do this? Their motives can vary.
Here are three common attack motives from the 2017 Verizon Data Breach Investigations Report:
- Financial – The most common motive for cyber-attacks that result in data breaches is to make money. Attackers may hope to sell stolen data on the black market, or extort money from their victims by holding their systems hostage.
- Espionage – Attackers may be less interested in financial gain and more interested in secrets. Stolen government and military intelligence can help guide a geo-political strategy. Stolen trade secrets and R&D data may provide an edge in commerce.
- Fun, Ideology, Grudge (FIG) – Some attackers have a political or personal axe to grind with a victim. Others simply enjoy using computers to spread misery.
Cause #2. Human Error
Causing 28% of the data breaches reviewed in the study, human error is perhaps the most exasperating cause of data breach because it’s the most preventable.
Examples of the ways human error can lead to data breaches include:
- Failure to apply patches to known vulnerabilities
- Employees leaving laptops or other devices in unlocked cars, where they are easily stolen
- When an employee mistakenly emails sensitive information to an unintended party
- When a database containing confidential information is unintentionally configured to be internet facing, and thereby accessible by search engines
Cause #3. System Glitches
About one-quarter (25%) of the data breach causes reviewed in the study were a system glitch, or a sudden break in the continuity or function of a system.
A glitch can occur for an infinite number of reasons.
For example, a software update may inadvertently expose records to the public.
In Oct. 2016, this happened to a state government system in Michigan, exposing the records of 1.9 million people for the following four months.
Other examples of glitches include:
- Application failures
- Logic errors in data transfer
- Inadvertent data dumps
Data Breach Costs Vary by Cause
Malicious or criminal attacks are the most of expensive cause of data breaches reviewed in the study.
According to Poneman, each malicious attack cost an average of $156 per compromised record (aka “per capita cost”).
Systems glitches that result in a data breach cost less – only $128 per record on average.
The least expensive cause of data breaches on average was human error, with a per capita cost of $126.
U.S. Leads World in Data Breach Costs
Data breaches are most expensive in the United States and least expensive in India, according to the report.
In India, the average cost of a data breach was $64 per record.
In the U.S., the average was $225 – that’s 250% higher!
The report’s authors note several reasons why data breaches are so costly in the U.S.
- Companies in the U.S. lose more than twice as much business after a data breach than companies from other regions
- Notification costs are highest in the U.S. – roughly $0.69 million on average per breach studied, compared to just $0.02 million in India.
- Other indirect costs – such as employee time, effort, and company resources spent on investigation, and loss of good will – are also highest in the U.S.
Invest in Your Security
Data breaches are expensive in every country, but especially the U.S. Investments in cyber security are essential to keeping these costs under control.
Rather than viewing the investments as an expense, the wisest organizations will realize the costs of failing to secure their networks will far outweigh the costs to protect them.