Data breaches cost $2M per year: Symantec

A global survey of enterprise security by Symantec found that 75% of organisations have have suffered data breaches within the past 12 months and losses are averaging $US2 million annually. The figure was even higher in Australia/New Zealand, where 89 percent of those surveyed experienced attacks on their IT infrastructure in the past 12 months.

 Craig Scroggie, vice president and managing director, Symantec Australia and New Zealand, noted that "Cyber Risk" is now rated as more important than natural disasters, terrorism or traditional crime for a company.

"The online nature of most organisations today means that they rely on their core IT infrastructure, whether its email or CRM applications to do business."

"Malicious code is a top concern, and the big shift we see is that the attacks are now in the information, not just the infrastructure. People want to get onto your machine for the purpose of getting into it, rather than the purpose of disabling it."

 The study is based on surveys conducted in in January 2010 of 2100 enterprise CIOs, chief information security officer's (CISOs) and IT managers from 27 countries (125 responses came from Australia, 75 from New Zealand).

Nearly all the enterprises surveyed (94 percent globally and 100 percent in ANZ) forecasted changes to security in 2010, with almost half (48 percent globally and 42 percent in ANZ) expecting major changes.

Every enterprise surveyed experienced cyber losses in 2009. The top three reported losses globally were theft of intellectual property, theft of customer credit card information or other financial information, and theft of customer personally identifiable information.

In ANZ, the top three reported losses were theft of corporate data at 53 percent; theft of customer personally identifiable information at 53 percent and identity theft at 37 percent. These losses translated to monetary costs 92 percent of the time.

The top three costs were productivity, revenue, and loss of customer trust globally and loss of data (49 percent); damage to brand (37 percent) and lost revenue (31 percent) in ANZ. Enterprises reported spending an average of $US2 million annually to combat cyber attacks.

Symantec found that enterprise security is becoming more difficult due to a number of factors. First, enterprise security is understaffed, with the most impacted areas being web security (52 percent in ANZ), network security (49 percent in ANZ), messaging security (49 percent in ANZ), data loss prevention (46 percent in ANZ) and endpoint security (43 percent in ANZ).

Second, enterprises are embarking on new initiatives that make providing security more difficult. Initiatives that IT rated as most problematic from a security standpoint include infrastructure-as-a-service, platform-as-a service, server virtualization, endpoint virtualization, and software-as-a-service.

Finally, IT compliance is also a huge undertaking. The typical enterprise is exploring 19 separate IT standards or frameworks and are currently employing eight of them. Some of the top standards include ISO, HIPAA, Sarbanes-Oxley, CIS, PCI, Cobit, and ITIL.

Symantec suggests that organisations need to protect their infrastructure by securing their endpoints, messaging and Web environments. In addition, defending critical internal servers and implementing the ability to back up and recover data should be priorities. Organisations also need the visibility and security intelligence to respond to threats rapidly.