德國2009年市場調查報告: 超過三分之一的資料外洩原因來自外部夥伴


Over a Third of All Data Breaches in Germany Are the Result of Errors by External Partners

Current Study on the Cost of Data Breaches in Germany in 2009

Offenbach, Germany and Traverse City, MI / 14th April 2010 – In 2009 German companies had to invest more than they did only a year ago when they suffered a data breach with subsequent data abuse. More and more frequently the source of the error leading to violation of data protection is not in the company's own building but on the premises of external providers who are processing or using company data on the company's behalf. These are the results of the ‘Jahresstudie 2009: Kosten von Datenpannen’ [“2009 Annual Study: Cost of a Data Breach”], which examines the financial consequences of data loss and abuse in German companies with reference to real-life data.

The study, for the second time carried out by Ponemon Institute and supported by PGP Corporation, is based not on hypothetical assumptions but on the actual facts and figures resulting from data breaches and subsequent cases of data abuse in 22 German companies. The data breaches covered by this study range from cases of fewer than 3,300 data records affected to cases of around 63,000 data records. Data from a total of twelve different industries was covered, the emphasis being on quantifying the direct and indirect costs and the subsequent expenditure arising from loss or theft of personal data, using objective measurement criteria.

Overview of important results

Data breaches becoming more expensive: Whilst the average cost of data protection violations examined in the previous year was about 2.41m per case, in 2009 companies had to dig nearly 7 percent deeper into their pockets and spend an average of 2.58m per case to rectify the damage resulting from actual cases of data abuse. The cost per compromised data record rose even more, namely by 18 percent from 112 to 132. In the most serious case examined, data abuse caused damage amounting to around 7m. The reason for the rising cost appears to be the 2009 amendment to the German Data Protection Act.


External providers often cause data breaches: Violations of data protection with subsequent data theft are more and more frequently resulting from errors by external providers who receive data from a company. Whilst in last year's study 17 percent of cases examined were the result of errors by third parties, in 2009 this figure rose to 36 percent. Because of the additional expenditure on forensics and advisory services the resultant damage of 159 per compromised data record was far above the expenditure of 132 per data record as a result of an internal data breach.


Clear allocation of expertise pays off: The 36 percent of companies in which responsibility for data security and handling of damage rectification in the event of data abuse were clearly delegated to a member of company management – e.g. the person responsible for informational security – spent around 87 per data record affected in the event of data abuse. In companies that had not made any clear allocation, however, the cost was 158 per compromised data record.


•Malice and negligence in nearly equal measure: In the examined cases from 2009, 54 percent of all cases of data abuse resulted from malicious or criminal attacks or the activities of botnets (2008: 50 percent). The average resultant cost of 120 per compromised data record was far below the 147 cost per data record when the fault lay in the IT systems or the cause was employee negligence. There are thus grounds to assume that whilst companies are investing more in defensive and forensic technologies they are in the process neglecting to check the reliability of production systems, or sensitisation and training of employees.


Customers punish companies with data breaches: Seen against the total cost of 132 per compromised data record in the event of a data breach, the 46 cost component for lost profit in 2009 was far higher than in 2008 (36). This shows that customers and consumers place far more value on protection of personal data than they did a year ago. The cost of exposure increased comparatively moderately, from 36 to 39, and for reactive measures the estimated average was 41, as against 36 in 2008. A clear percentage increase of 75 percent from 4 to 7 per endangered data record was established as the cost of notifying those concerned.


For companies, data protection is above all a technological matter: The amended data-protection laws have led to many companies updating their technology. Thus the proportion of companies questioned who use encryption solutions rose by 26 percent to a total of 77 percent. There were also increases of 20 percent to 30 percent for other appropriate technological measures compared with the year before. Thus 73 percent of companies have optimised their checking of internal and external network transitions, 68 percent run a security event management system and 59 percent a DLP (Data Loss Prevention) solution. Involvement of companies in training and sensitisation measures, on the other hand, demonstrated low growth rates, with a mere 27 percent of companies investing in regular data-protection training for their employees.


“German customers and consumers are extremely sensitive to the protection of their personal data. Any company that has still not grasped this fact is putting their existence at risk,” said Phillip Dunkelberger, President and CEO of PGP Corporation. “This year’s report shows the loss of profit after a data breach and should convince companies that data protection is not a trend, but a crucial task that is critical to business.”

以上資料來源: http://www.pgp.com/insight/newsroom/press_releases/2009_annual_study_de_cost_of_data_breach.html


解決方案:

PGP 加密

回首頁