Today we are in a situation that many have never faced before, and organizations of all sizes are looking at ways to cut costs. One area that I have seen is with regards to cybersecurity due to the previous unprecedented spending with boards and executives now asking what they have achieved?
I had an interesting conversation recently about security and the costs involved to provide adequate protection, and a statement was made that shocked me. It was “Given that there seems to be a breach every other day in the news; we just need to be seen to take reasonable measures to demonstrate we did our best.”
The underlying sentiment of the previous statement is desensitisation and apathy in “it is happening to everyone, so there is nothing I can do.” It got me thinking as to what is the real cost to a data breach?
The most recent IBM/Ponemon Institute study calculated the cost of a data breach at $242 per stolen record, and more than $8 million for an average breach in the US. The same study estimated that a typical company has a 29.6% chance of experiencing a data breach in the next 24 months, a dramatic increase in the odds from just a few years ago.
These are some disturbing statistics, but just looking at the above financials means that we will take a purely accounting approach to determine an amount that we spend to avoid a breach. However, this should not be the case as there are other factors to be considered, which are:
Legal Costs — One of the most visible costs to a company that encounters a data breach is from legal fees. These costs range from class-action suits, settlements and potentially thousands of hours of attorney time are costs not often factored into the total loss reported.
Regulatory Fines — In the last few years, there has been a massive uptake in government oversight and in particular GDPR as well as local governments Data Protection Acts. The governing bodies have the ability to penalize companies as much as 4% of their top-line revenue for failure to protect personally identifiable information.
Brand Reputation / Lost Business — The publicity that you get from a data breach can have far-reaching implications on customer loyalty. The reputational damage can, in turn, slow a businesses sales potential for many years which some businesses will never be able to recover. Would you trust a bank with your life savings if they had a massive data breach?
Company Value — A significant leak will result in the company bleeding from both the top and bottom line. A typical company could lose up to 2% of its value resulting in millions lost for shareholders.
Does Remote Working make incidents more expensive?
Does remote working make incidents more expensive, Yes and No. If your organization before COVID19 had a significant percentage of the organization working remotely and had factored this into their incident response plan, then I would like to say No.
If your organization, like many, had to make haste moves to continue operations by moving the majority of the workforce to remote work, then the answer is Yes. The potential increase in the cost of exposure in my estimates by 15–20% higher. Security has now moved from a predominately centralized to a decentralized model, changing your trust boundary. The impact on network security, as well as endpoint protection, complicates incident response and how internal teams respond to security incidents.
What does the Data Say?
Whilst a lot of the information about the real costs of a data breach may never be publicly revealed, I was curious to take a couple of examples and see what I could find that could provide an indication as to the real cost of a data breach.
The first that we will look at is the data breach in 2018 in which up to 500 million guests data was exposed.
As you can see from the chart, there was a steep decline post the announcement, but it did start to make an upward movement a few weeks later.
In addition to this, the company received a GDPR fine of 110.3m Euros.
On March 31st, 2020, the hotel chain again disclosed a security breach that impacted the data of more than 5.2 million hotel guests who used their company’s loyalty application.
There was still a drop in the share price, although this time around it did recover within a few days. The interesting question will be what is GDPR fine this time around as one of the considerations in determining the penalty is the track record which unfortunately is not ideal for Marriott.
Last year in 2019, MGM Resorts suffered a massive data breach. The news of the breach incident started to circulate in February 2020 when hackers leaked the personal details of 10.6 million hotel guests for free download. But in the later findings, the number increased by 14 times (nearly 142 million) than the number recorded in February 2020.
Whilst there is clear evidence that there is a massive drop in the share price, this may not all be contributed to the data breach as it was around the same time as COVID-19. Still, it was a contributing factor when you look at the price leading up to the initial data breach.
At present, there have been no fines issued. Still, they are subject to both GDPR and CCPA with the California Attorney General being able to impose penalties up to $2500 per violation. I will let you do the math, but even if the fines are similar to what Marriott incurred, this becomes a costly security mishap.
When looking at the costs and how do you prevent these, you need to change your outlook. Stop thinking about how do I prevent this as it is evident that a determined adversary given enough time and resources will be successful.
It would be best if you started thinking that your network has already been breached and focus on how you can detect it in the fastest amount of time. This mindset will allow you to minimize the impact on the business and help ensure that weaknesses are identified and mitigated. A key component in this is Cyber Threat Intelligence in which you can detect this promptly and then address the vulnerability.
These insights that you get from a good OSINT (Open Source Intelligence) platform allow you to assess the risk at the business level.
Security is not just a technical problem it is a business problem and needs to speak the same language as the business and identify risks and mitigating strategies without FUD (Fear, Uncertainty and Doubt)