By James A. Martin
What does a security breach or malicious hacker attack cost? For organisations that lack a fully resilient infrastructure, hidden costs can include operational interruptions, loss of customer trust, lawsuits and compliance regulation fines. Consider the costs an organisation can incur from ransomware. In March 2018, Atlanta’s city government was hit with a ransomware attack, in which criminals demanded roughly $51,000 in bitcoin to restore the city’s systems. Atlanta didn’t pay.
Consequently, according to Engadget, more than one-third of the city’s necessary programmes went offline or were disabled in part. Worse, Atlanta’s city attorney office lost six of its 77 computers and 10 years of documents. The Atlanta police department lost its dash cam recordings. Initially, the cost of recovering from the attack was an estimated $2 million—but that soon increased by another $9.5 million.
Here are some examples of the hidden costs a security incident may bring, with tips on how to avoid them through business resilience best practice.
Phishing messages look authentic, slip by spam filters and come from people the victim ‘knows’ due to spoofing.
Hidden security breach costs
Emergency assistance from consulting firms. After a breach or attack for which you’re unprepared, you may need an outside consulting firm to help you bounce back. For instance, the city of Atlanta spent $600,000 with Ernst & Young for incident response consulting.
Technology and security upgrades. A successful attack means the exposure of weak links in your security—which you’ll need to repair going forward. Equifax, which in September 2017 experienced what’s probably the costliest data breach in history, was forced to upgrade its technology and security infrastructures. Its ongoing IT and data security costs related to the breach were $45.7 million in the first quarter of 2018 alone.
For lessons learned from the Equifax breach, see our blog post “The Equifax Breach: No More Excuses.”
Legal fees. Your organisation may be vulnerable to class-action lawsuits or other legal action stemming from data privacy leaks. Following its 2015 breach, Anthem was liable for more than $33 million in attorney fees and expenses, according to Big Law Business. That’s in addition to pay outs to class-action plaintiffs, which in Anthem’s case included $7,500 each for 29 individuals and $5,000 each for 76 plaintiffs.
Insurance deductibles. Insurance against losses from cyberattacks and breaches is a growing market. But like most insurance policies, organisations may have to pay a deductible. Equifax’s deductible was $7.5 million.
Crisis communications and PR. After an attack is discovered, organisations should get the word out in a timely manner, which may mean engaging a crisis communications PR firm. Atlanta spent $50,000 hiring such a firm after its ransomware attack.
Regulatory compliance penalties or fees. With new data privacy regulations such as Europe’s GDPR, organisations can face stiff penalties if personal data isn’t adequately protected. Infringement fines can go up to 20 million euros.
See “What Does the GDPR Mean for Your Business?” for more information.
Damage to reputation and brand. This side effect of a data breach can be difficult to predict or estimate. But here’s one example: In February 2017, Verizon reduced its offer to acquire Yahoo by $350 million after Yahoo had disclosed two significant data breaches.
But that’s not all. Other hidden costs may include:
- Notifying customers via email, letters, phone calls
- Increase in calls to help desk and customer support
- Cost of business disruption and revenue losses from downtime
- Loss of customers and inability to acquire new ones
4 tips for avoiding attacks and breaches
- Cover the basics. Egress filtering. Keeping security updated. Deploying Multi-Factor Authentication (MFA). Encouraging users to take passwords seriously. These are all basic security practices your organisation should implement to help prevent breaches, notes Asher de Metz, Senior Manager of Security Consulting at Sungard AS. De Metz has written extensively about basic security practices for enterprises:
“Password Security: Reality or Joke?” (CIO)
“Three Cyber Security Tips From a Professional Hacker” (Forbes)
“Phishing for Data: All Businesses are Victims” (CPO Magazine)
- Continually educate users about cyber security risks.Many cyberattacks and data breaches start with phishing emails that fool someone inside the organisation into clicking a link they shouldn’t click.
“Phishing messages look authentic, slip by spam filters and come from people the victim ‘knows’ due to spoofing,” says Shawn Burke, Sungard AS Global CSO. “Social media accounts can be used as a tool to tailor phishing messages specifically to the targeted employee, making it even harder to identify by the naked eye.” To counter those attacks, educate users and test their awareness, Burke says.
- Make incident response plans part of your resilience programme. The quicker you can identify and respond to an attack, the more likely your organisation can recover and stop an attacker from accessing sensitive data, notes de Metz. A cross functional team of employees spanning IT security, legal, corporate communications, sales and human resources should be trained in what to do, in accordance with your incident response procedures.
- Segment each division of your network. In addition to training employees about how to respond after an incident, you should also segment each division of your network, recommends Haim Glickman,SVP, Global Solutions Engineering at Sungard AS. “This way, if you experience a cyberattack, you just need to identify the origin of the attack and shut off that single segment from the rest of the company. This minimises the amount of sensitive data stolen and allows you to recover quickly to continue operating as normal.”
“Network segmentation can be used to protect sensitive data and effectively thwart a cyberattack,” adds de Metz. “For example, a client of ours prepared their network by segmenting each division and trained their employees on the incident response procedures in the event of an attack. When the company experienced a cyberattack it was able to quickly identify the origin of attack, shut off that single segment from the rest of the company, and recover quickly to continue operating as normal. Having a well-thought-out incident response plan that employees know how to execute properly is critical to business continuity.”
Most recently, enterprises are increasingly leveraging micro-segmentation to create secure zones in data centres and cloud deployments for isolating and protecting workloads, as well as containers to isolate virtual machines to reduce the attack surface, Glickman notes.
In addition, you can improve resiliency via snapshots of files and storage, which help you roll back to predetermined Recovery Point Objective (RPO)—minimising your exposure to data loss and its associated costs, Glickman says.
For additional tips on avoiding cyberattacks and protecting your organisation against data breaches, consider reading these resources:
James A. Martin has written about security and other technology topics for CIO, CSO, Computerworld, PC World, and others.