White Paper

Causes and Effects of Data Breaches

What causes data breaches and how to prevent them

Anyone who regularly reads newspapers or watches television news does not need to be told that data breaches are serious
and prevalent issues. They are reported on frequently, often in ominous tones.

The concern is warranted. According to IBM-sponsored research by Ponemon Institute, in 2019 the average cost of a data breach was $150 for each lost or stolen record that included sensitive and confidential information. The average total cost for the organization as a whole was $8.2 million
per incident. 1

Clearly, the total cost for an organization varies depending on its size and the magnitude of the breach, but it can represent a material portion of annual revenue. And, keep in mind that many of the victim companies already had some level of data security in place—and, in many cases, a high level. The consequences could have been even more dire without it.

Data Breach Causes
Thanks primarily to blaring headlines, when people hear the phrase “data breach,” they often think of hackers with malevolent intent. That’s definitely a serious threat, but it’s not the only one.  Other causes of data breaches, such as human error and system glitches, are inadvertent and, therefore, have benign
or no intent. Nevertheless, a non-malicious breach can sometimes be almost as costly as a malevolent one:

Human Error
Notwithstanding the headlines about hacking and thefts of massive volumes of personal and financial data, most studies show that more data breaches result from human error than criminal attacks. In fact, 62% of the data breaches reported to the U.K. Information Commissioners Office resulted from
human error. 2

A CompTIA survey pegged the number somewhat lower, 52%, but still found that the majority of data breaches were caused by human error. 3

That having been said, those numbers can be subject to some interpretation. For instance, if a laptop, tablet or smartphone— or even something as old-fashioned as a sheet of paper—it is inadvertently lost and the data on it is subsequently accessed by someone who serendipitously found it, that’s a data breach, but is it human error? The loss was human error, but the access of the data may have been an intentional act.

Likewise, should a breach initiated by a phishing attack be considered human error or a criminal attack? There are elements of both. The sending of the phishing email and the intrusion the attacker executed through it may have been criminal, but the click on the link in the email, without which
the attack would have failed, was human error.

However, there is little point in spending too much time on what is primarily a pedantic data-breach taxonomy exercise.  Whether you classify it as human error or something else, the point is that data has been put at possibly serious risk.

As familiar as you may be with these news stories and statistics, it is still important to take a step back and ensure you are familiar with exactly what data breaches are, what causes them, the costs your organization might incur as a result of them, and how you can prevent them. This white paper presents a
high-level overview of these topics.

1 2 3 IBM Security Cost of Data Breach Report – 2019 – (https://www.ibm.com/security/data-breach)

Causes and Effects of Data Breaches