With the average data breach now costing over $4 million in damage, it’s not surprising that CISOs are worried about the effects that a security incident can have on their organization. The recent Equifax breach serves as a reminder that maintaining cyber security health is increasingly important. While CISOs sometimes focus exclusively on the impact and cost of the initial attack, cyber incidents have effects which continue long after the business has recovered and operations have resumed. In this article, we’ll touch on some of the hidden costs of a security breach and how they can be just as detrimental – if not more so – than the attack itself.
An Ever-Expanding Scope: Beyond Data Loss
Security incidents come in many shapes and forms. Whether it’s something as simple as an account lockout due to repeated login attempts, or a full-blown network intrusion, these incidents cause ongoing damage.
For example, consider the lingering effects of that simple lockout issue:
- How much productivity was lost by the affected user(s)?
- How much time did the help desk spend resolving the problem instead of performing their daily responsibilities?
- How much time will engineers spend adjusting security policies to lower the recurrence of these incidents?
These are all examples of ongoing resource expenditures– showing that when it comes to a major security incident, the costs aren’t limited to remediation time alone.
Technical Costs of a Data Breach
This is perhaps the most obvious cost of an incident, but it goes beyond the initial outage and downtime during the recovery phase. The impacted organization might have already lost $200,000 in production, damaged systems, and stolen digital assets, but there’s more to come. In addition to the initial loss, the organization will also need to invest more resources in security tools, outsourced security providers, assistance for affected users (credit monitoring services, for example), and performing a Root Cause Analysis, post-mortem, additional security training, and adjustments to the security program.
Legal and Compliance Costs
After the organization spent time and money recovering technical resources, the organization still has to deal with the legal repercussions of the incident, which can often cost more than the technical remediation. In a best-case scenario, the organization only has to handle customer notifications of a potential incident involving sensitive data. In a less ideal situation, where the affected data is subject to regulations, the the organization is also opening the door to legal investigations which come with fines, the costs of discovery, and required consultation from third-party services. All of these costs can sink a business or at least make a sizeable dent in is profits and revenue forecast. Some CISOs may not consider the legal and compliance costs of a security breach, and thus may not commit adequate resources to their organization’s security program.
Loss of Trust and Reputation
Another sometimes disregarded cost of data breach is that negative impact to the organization’s trust and reputation. CISOs and other C-level executives find themselves grappling with the following questions:
- How much is the organization’s reputation in the industry worth?
- What has been the capital investment to establish brand in the market?
- How many current and prospective clients would the organization lose if its reputation is tarnished?
Especially for companies who attract their customers based on their brand trust –such as banks and other financial institutions– the impact of a breach can be disproportionately damaging. In the worst case scenario, companies may suffer international embarrassment, loss of credibility, loss of trust by its customers and investors. Additionally, in some cases they have had to futilely pour money into recovering their brand– an endeavor that can sometimes result in eventual bankruptcy and company closure.
The Solution: A Comprehensive Security Program with a Holistic View on Risk
A comprehensive security program focuses on the whole risk cycle and includes the buy-in of board members or senior executives. It’s an unfortunate reality that, even in a time where cyber incidents have forced their way above-the-fold, some businesses still don’t perform proper due diligence when creating their information security frameworks. Whether it’s a result of a lack of bandwidth, underfunding or personnel constraints, many enterprise security programs use multiple point solutions that were selected without a security framework and foundation in place. In many cases this approach can result in redundant streams of information, excessive alerting on false positives, and ultimately can leave the information security department with an even larger bandwidth issue than it started with.
How should a CISO factor in hidden costs when justifying security expenditures? Rather than just presenting the features of a new monitoring system, providing an explanation of how the tool or tools can help the organization avoid damages including those hidden costs is a more effective approach that will better resonate with senior management and the board.