The threat of a crippling attack on computer and telecommunications networks is growing, as legal defense spending spikes and data breach incident costs level off.

America's top intelligence official has told lawmakers that increasingly sophisticated group of enemies has "severely threatened" the United States’ IT infrastructure. If so, Canada is likely in similar shape, though there have been no reports of attacks north of the border. The real risk might be that attacks are launched from here.

"Sensitive information is stolen daily from both government and private sector networks, undermining confidence in our information systems, and in the very information these systems were intended to convey," Dennis C. Blair said in a prepared remarks to a US Senate committee.

"Malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication," he said.

It is notable that Mr. Blair began his annual testimony before Congress with the cyber threat. A lot has been written on this issue, but there are real, material concerns regarding the potential consequences of a coordinated attack on the nation's technology apparatus.

The spy chief's assessment of the threat of a "Cyber Pearl Harbor" was weightier than last year’s, when he said there had been progress dealing with al Qaeda and its affiliates.

Spike in legal defense spending

Enterprise data protection company PGP Corporation, and the Ponemon Institute, a privacy and information management research firm, have announced results of the fifth annual US Cost of a Data Breach Study.

According to the study, data breach incidents cost US companies $204 per compromised customer record in 2009, compared to $202 in 2008.

Despite an overall drop in the number of reported breaches (498 in 2009 vs. 657 in 2008 according to the Identity Theft Resource Center), the average total per-incident costs in 2009 were $6.75 million, compared to an average per-incident cost of $6.65 million in 2008.

Key Findings from the Study

Key findings of the study were as follows:

• The cost of a data breach as the result of malicious attacks and botnets were more costly and severe.   
• Negligent insider breaches have decreased in number and cost most likely resulting from training and awareness programs having a positive affect on employees’ sensitivity and awareness about the protection of personal information. Additionally, 58% have expanded their use of encryption up from 44% last year.
• Organizations are spending more on legal defense costs which can be attributed to increasing fears of successful class actions resulting from customer, consumer or employee data loss.
• Average abnormal churn rates across all incidents in the study were slightly higher than last year. The industries with the highest churn rate were pharmaceuticals, communications and healthcare, followed by financial services and services.
• Third-party organizations accounted for 42% of all breach cases, dropping from 44% of all cases in 2008. These remain the most costly form of data breaches due to additional investigation and consulting fees.
• The most expensive data breach event included in this year’s study cost a company nearly $31 million to resolve.  The least expensive total cost of data breach for a company included in the study was $750,000.
   

About the Study

The annual US Cost of Data Breach Study, by PGP Corporation and independently conducted by the Ponemon Institute, tracks a wide range of cost factors, including expensive outlays for detection, escalation, notification and response along with legal, investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions.

The study was derived from a detailed analysis of 45 data breach cases with a range of 5,000 to 101,000 records that were affected. Companies analyzed were from 15 different industries.