The costs and implications of data breaches go far beyond the initial incident response and customer notification costs. In a new survey out by the SANS institute, only about one third of organizations are able to remediate breaches within a week of detection and the greatest financial impact from breaches extended months and even years beyond the event for the majority of organizations.
Conducted on behalf of Identity Finder, the SANS study took an in-depth dive into the post-breach ramifications of nearly 60 organizations. Coming from a fairly distributed range of organization sizes and industries, the study shows that even after remediation, over 60% of organizations still felt the impact from breaches. Meanwhile, the greatest financial impacts were felt long after the exposure occurred. Over 40% of organizations said they felt the biggest monetary pinch one- to 12 months after the fact.
These financial shocks often come from unexpected sources. For example, some organizations may recognize that there will need to be additional resources necessary to conduct forensics investigations during breaches, but don't realize they'll have to make unplanned purchases following an incident. Approximately 57% of respondents reported having to acquire additional tools for forensics or data recovery as a result of a breach.
Additionally, breaches frequently uncover root causes that require additional controls to prevent them from happening again and to keep the regulators at bay once an event brings their focus onto an organization. Nearly three-quarters of organizations needed to divert resources to bolster the development of administrative policies, and approximately 65% had to spend extra money on training and awareness programs following a breach. Additionally, 65% of organizations had to purchase technical tools outside the normal IT budget cycle, and over 60% needed to pick up physical controls in the wake of a breach. What's more, around a third of organizations realized they needed to add or change managed services to account for increased security after a breach.
"One could argue that these controls were needed anyway and that they should not be included in an accounting of post-breach costs. After all, having proactive security policies and procedures in place is always the best defense against a breach," wrote the report's author, Barbara Filkins. However, the fact that these purchases and resource allocations were sudden and unplanned invariably means they threw off the balance of budgeting and caused disruption in the flow of IT operations -- versus taking a pre-emptive and measured approach to increasing controls.
As things stand, fewer than half of organizations carry cyber insurance for breach events, and only about a third of organizations had enough coverage to completely cover post-breach costs, according to the report.