Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

9/12/2013
11:15 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

How To Cushion The Impact Of A Data Breach

A major breach can wreak havoc on many aspects of the business. Here are some ways to soften the blow

For five years now, a Ponemon Institute annual report has tried to put a number on the cost of data breaches. It creates benchmarks for direct costs such as regulatory fines and the cost of notifying customers, alongside estimates of indirect costs such as customer churn and lost business. In 2013, Ponemon pegged the cost of a data breach at $136 per lost record on average across the globe. Ponemon estimated the cost in the U.S. at $188 per record, and $277 per record when the breach came at the hands of malicious and criminal attacks such as outside hacking or insider theft.

Benchmarks have their role, but everyone knows that some types of breaches are far more expensive to companies, such as those that expose intellectual property (IP) such as secret recipes or technological specifications, or that reveal acquisition information prior to a big deal. Manufacturing supply chains could be tampered with in sabotage attempts. Or customer records could be stolen, sometimes from a third-party contractor rather than the organization entrusted with the information.

Factors such as lost IP don't make it into many breach cost estimates because the impact is so hard to measure, and because breaches are often outside regulatory scrutiny and therefore aren't publicly reported. But by understanding hidden or underreported costs, and threats specific to their industries, companies can better plan breach response and recovery, set budgets that fit the risks and reduce the cost of future problems.

The Hidden Impact Of Breaches

IT must contend with its costs of forensics and interruptions that go along with piecing together what was stolen and how. But "hands down, the biggest cost is loss of productivity," says Vinnie Liu, managing partner for security consulting firm Bishop Fox, "not just with the IT team but all the people who are affected by the systems impacted, especially critical systems. It has a domino effect, and it is a huge multiplier effect that happens after a breach."

And as Ponemon and others calculate, there are substantial known costs of notifying affected customers and business partners, paying for credit monitoring and identity restoration for victims, and staffing call centers for added customer service calls that all play into the total cost of a breach.

Then there are potential costs for regulatory investigations, litigation, the loss of goodwill and the loss of customers, all of which contribute to the squishy "brand damage" that is impractical to truly measure.

The most commonly neglected cost involves the phenomenon of "organizational thrash," contends Peter Tran, senior director of the Advanced Cyber Defense practice at RSA, the security division of EMC. This is the fatigue factor that hits IT and sometimes other departments after slogging through crisis mode for months after a breach discovery, examining log data, ferreting out the adversary, changing infrastructure, and working with lawyers and communications specialists. Security becomes less effective because IT teams are "burned out, and they're actually less on the ball than before," Tran says.

It's not just the loss of IP such as technical specs that can cost a company dearly. A company is put at a disadvantage if it loses data on how much it is willing to bid on a contract, where it plans to set up new operations or which overseas businesses it plans to negotiate deals with.

Companies also frequently pull back on innovative projects following a breach, particularly in the tech sector, as they try to identify what IP is lost, and how it was taken, before investing more into that work. Putting hard costs on that lost innovation is hard, Tran says, because it's so intertwined with economic and market factors.

Take Early Action

The damage from security breaches tends to increase the longer an attack goes undetected. If the goal is to steal customer data or intellectual property, most breaches start small with a malware foothold on some endpoint, established through a phishing attack or Web-based attack. With a beachhead established, the attacker looks to escalate privileges on the machine, move sideways onto other machines and implant multiple back doors on all the systems the attack touches to maintain persistence. "More importantly, the longer it takes, the more likely an attacker is to find and exfiltrate the organizations 'secret sauce,'" says James Phillippe, leader of threat and vulnerability services for the U.S. at Ernst & Young.

Many compromises today are measured in months, not minutes. The 2013 Verizon RISK Team "Data Breach Investigations Report" found that 66% of breaches in 2012 remained undiscovered for months or more, up from 41% in 2010. And approximately 70% of those breaches were discovered by third parties such as business partners or police, not by the affected organization.

One of the biggest inhibitors to speedy breach detection and response is the lack of visibility and analysis of network traffic, which would allow organizations to connect the dots between seemingly isolated attack symptoms and see them as indicators of a compromised system.

"Many organizations are content to play whack-a-mole when it comes to incident response," Phillippe says. "They clean malware off the host and quickly return it to service. This perceived response only treats the symptom of the issue, the malware."

There are three keys to quickly discovering and responding to breaches, says Phillippe. First, companies need solid asset management to recognize all of the devices on the network and establish baseline behavior, which improves their chances of quickly detecting anomalies.

Second, a well-tuned security, information and event management system is the "heart of a security operations center" and is the engine connecting the dots that show that those anomalies amount to an attack.

Third, threat intelligence services give companies the context to recognize potential attackers. These services offer industry-wide data about attack patterns and trends occurring at other companies so companies can look out for certain indicators of compromise.

chart: reputation takes a hit

chart: breaches don't come cheap

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon7829802919
50%
50%
anon7829802919,
User Rank: Apprentice
9/20/2013 | 6:09:07 PM
re: How To Cushion The Impact Of A Data Breach
Having a plan is key, as noted in the article. And risk assessments are good. Even better is for InfoSec or IT to have done a sensitive data audit to figure out where sensitive data lives throughout the organization and map it so that it's easier to identify where malware may be headed and what it's intended targets may be. http://www.encase.com/products...
anon0371927161
50%
50%
anon0371927161,
User Rank: Apprentice
9/18/2013 | 9:32:18 PM
re: How To Cushion The Impact Of A Data Breach
Interesting article. One can start with a Free Risk Assessment http://www.gtbtechnologies.com...
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26077
PUBLISHED: 2021-05-10
Broken Authentication in Atlassian Connect Spring Boot (ACSB) in version 1.1.0 before 2.1.3 and from version 2.1.4 before 2.1.5: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring...
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.