Incident Response #5: Counting the Cost
“An ounce of prevention is worth a pound of cure.” —Benjamin Franklin
While I could literally write forever about data breaches and incident response, I need to bring this blog series to a close. In doing so, I will have achieved my goal of providing a wide enough range of information that you have gained a deeper understanding of the complexities of incident response. To wrap things up, we need to cover a litany of economic factors that pertain to breach preparedness and response.
Operating in the current threat landscape is expensive. The only thing you really control is who you are going to write the check to.
Breaches Are Expensive
According to the 2015 Cost of a Data Breach Study by the Ponemon Institute and sponsored by IBM, the average cost of a data breach is US$3.79 million. Now that’s just the average of the organizations that participated in the survey, so the data set is somewhat limited. The study does not include “mega-breaches,” which are defined as any breach in which more than 100,000 records are exposed.
What that means is that the estimated cost is artificially low based on multiple factors such as participation (Were you part of the survey sample?), breach size (Were you below the 100,000 record threshold?), candor (Were you telling the truth?), and legal obligations (Were you, or are you, in the process of litigation or a criminal investigation that would preclude you from sharing the details of the incident?). What is also not accounted for is the loss of customer confidence, loss of market share, potential loss of stock valuation, cost of litigation (outside counsel, class action lawsuits), and remediation costs. While it’s difficult to speculate on the impact of these additional components, I would conservatively estimate that they account for 50% of the total breach cost based on my experience and research.
OK, so, it’s expensive to get breached—I think everybody gets that. By all indications, breaches are increasing globally. At least, they appear to be increasing based on factors like reporting requirements and media coverage. I am sure everybody gets that, as well. I have said many times that there are really only three types of organizations: those that have been breached, those that are currently breached (many may not yet realize it), and those that are about to be. So, it’s likely to happen to your organization if it hasn’t happened already, it’s going to be really expensive when it does, and it can have a long term negative impact on your brand.
Breaches Are Preventable
In my experience with data breach investigations, I have uncovered a truth that is going to be a bit shocking to hear: they are preventable. If I had to guess, I would say that over 95% of the time, breaches occurr by exploiting something that could have been easily, and in most cases inexpensively, fixed. That flies in the face of the recent media releases of high profile breaches where the propensity is to overstate the complexity of the attack while understating the impact. This makes for great TV, but it’s simply not supported by the facts, which typically say the opposite. Breaches are largely the result of poor IT hygiene, insufficient penetration testing, and weak breach preparedness training. These factors almost always add up to a total compromise.
Help Is at Hand
The good news in all of this is that there is hope. There are professionals such as the Nuix Cyber Threat Analysis Team who are experts in advanced threats and countermeasures and breach preparedness and who can position your organization in the best possible way to deflect, detect, react, respond, and recover from an attack.
These tactical operations will give your organization specific findings and action items that will allow decision makers to operate with real and relevant information (as opposed to pages and pages of scan results). They will know precisely what their strengths are, what their likely attack vectors are, and where they need to focus time, energy, effort, and training. Oh, and did I mention these services can be conducted for a fraction of the cost of a data breach?
This level of detail is a tremendous asset to executives. Board members all over the world are asking their executives “What are we doing to prevent a data breach?” and “How are we preparing to handle a breach if one occurs?”
Here’s an example of a typical, and virtually meaningless, answer to those questions:
“We are preforming a full-spectrum review of our security posture to enable a collaborative and holistic strategy. We will be purchasing and implementing disruptive technology that is in the Gartner Magic Quadrant and will enable our subject matter experts to enhance their visibility into the threat landscape.”
Ouch—it hurt my brain just typing that. Instead of playing buzzword bingo, how about this answer instead?
“We have hired a team of expert hackers and investigators to look at our security from the eyes of an attacker. They are going to tell us where our weaknesses are and show us what we need to do to fix them. Then they are going to help us build a response plan so we know what to do when something bad happens. They are also going to become a long-term partner and continue to work with us to ensure we are doing everything we can to prepare for an attack.”
Better, isn’t it?
Spend Now or Pay the Price Later
In today’s threat landscape, regardless of the size of your company, your geographic location, or business vertical, you are a target. You have something to steal, and there are people who want to steal it. The choice before you is simple: either prepare by performing realistic testing and training, or react, largely unprepared, to a data breach.
One will cost you in the tens of thousands of dollars up front, the other will cost you millions in the long run.
One will bolster your brand reputation, the other will burn it to the ground.
One will bring you scrutiny from your board of directors, privately asking what you are spending money on and why, while the other will draw the attention of a plethora of regulatory agencies that will ask, very publicly, why you didn’t spend money on preparation.
One will enable you to take a defensible position with regards to “reasonableness of care,” and the other will leave you with nothing but excuses.
As far as business decisions go, this is about as much of a no-brainer as you can possibly get. Count the cost, make the call, and decide who you write the check to.