Professional Documents
Culture Documents
The True Cost of Being Hacked: Feature
The True Cost of Being Hacked: Feature
Putting a figure on the cost of data breaches is akin to nailing jelly to a wall.
Yet as enterprises attempt to insure themselves against losses and CISOs fight
for budget, it is increasingly important to work out the financial impact of a and carried out in conjunction with
data breach on the organisation. Infosecurity Europe, found the average
cost of the worst security breach for small
A number of people have attempted to direct and indirect expenses incurred by organisations was 35-65,000 and for
cost out the losses from a data breach the organisation. Direct expenses include large organisations was in the range 450-
incident. But is everything factored in? engaging forensic experts, outsourcing 850,000. The vast majority of these were
What about legal costs, for example? hotline support and providing free credit through cyber-attack by an unauthorised
Research company Ponemons The Cost monitoring subscriptions and discounts outsider. Several individual breaches cost
of a Data Breach report found that for future products and services. Indirect more than 1m.
German and US companies had the most costs include in-house investigations and Andrew Miller, PwC information secu-
costly data breaches ($199 and $188 communication, as well as the extrapolated rity director, says: Organisations need to
per record, respectively).1 It found that value of customer loss resulting from turn- make sure that the way they are spending
the average UK firm could be liable for over or diminished acquisition rates. their money in the control of cyber threats
costs of over 2m should it fall victim to PwC has also had a shot at costing data is effective. Spending on cyber control as a
employee negligence or malicious attack. breaches. Its 2013 Information Security percentage of an organisations IT budget
Ponemon explains that to calculate the Breaches Survey funded by Department is up this year from an average of 8% to
average cost of data breach, it collected the for Business, Innovation and Skills (BIS) 10%, but the number of breaches and
their impact is also up as well, so it is clear
that there is work to be done in measuring
the effectiveness of the security spend.
Heaviest sufferers
According to a recent Dell Software secu-
rity survey, the average cost of security
threats in the UK currently stands at
$793,747. This chart shows the aver-
age costs of security threats globally.
The UK is the third-highest sufferer of
security threats, with Germany and the
US the heaviest suffers of security attacks.
Canada has the lowest spend on its IT
security, yet it sees the lowest number of
attacks.
Dell has found that the UK spends
11.6% of it overall IT budget on security,
while the US spends a larger 20.7% of
its overall IT budget. However the survey
discovered that 68% of UK respondents
are planning to increase their spend on
Average per capita cost of a data breach in the UK over seven years: Source: Ponemon Institute/IBM.
IT security in the next two to three years
8
Computer Fraud & Security June 2014
FEATURE
9
June 2014 Computer Fraud & Security
FEATURE
10
Computer Fraud & Security June 2014
FEATURE
If the criminals are caught there is the In his opinion the real costs of being the risk of a breach reoccurring. But most
possibility that losses may be covered, hacked result from loss of reputation companies dont like to list all the costs as
but the possibility is slim. If convicted and the loss of customer confidence. The it means they might have to reveal more
cyber-attackers are in the same country problem is also that these are areas that problems to the media or public.
as the victim and there are assets that are hard to place a financial figure on There is also a cost associated with digi-
can be seized then this is a relatively easy but can cost the company much more tal forensics to find out how the breach
process for the police and the courts, than the initial hack. occurred and/or who was responsible.
says Crocker. Such an occurrence is The cost of forensics will vary depending
rare, however, because cyber-criminals Customer retention on the amount of data, systems and peo-
are normally based in other countries ple involved, says Hilbert. If you think
and the fact is not that many fraudsters EJ Hilbert, head of cyber investigations of it in man hours, 1GB is approximately
get caught. The police will promote the at Kroll, points out that the cost of a 50,000 pages of paper. How long will it
arrests of those convicted but generally breach is shared by several players, not take one person to review those pages?
they are the mules that are used to cash just the firm that lost the data but by the Even with software doing it, a human has
out. Very rarely are they the real criminal people whose information was stolen, to review the results, narrow the searches
who stole the money. the companies who secured it and the and follow the trail as the data moved
Crockers investigations of criminal companies with whom the victim may through systems. Most desktop comput-
groups attacking UK and European have had a relationship. ers have 500GB capacities and servers are
companies through the web identified Before joining Kroll, Hilbert spent in the terabytes.
three types of cyber-criminals: the mon- eight years as a Special Agent for the FBI,
ey-motivated, the ego-motivated and and led large cybercrime investigations Insuring losses
those who are politically motivated. addressing the computer intrusion, theft
For criminals motivated by money, of data and extortion of over 600 finan- The challenge of assessing the potential
financial gain is the prize, he says. cial institutions. Costs to third parties cost to an organisation of a data breach
However, it is very unusual for them to and partners are very difficult to track can have serious implications when try-
try and steal money directly. Personally because they are not always tangible, he ing to insure against losses. Mark James,
I have only dealt with a couple of cases explains. How do you track reputational technical director at ESET UK, believes
that have done so. In the main they target damage? Or claim that this man hour was that insurance wont come even close to
financial details including bank account spent addressing X which isnt normally recouping losses: The financial damage
details or credit card details. Cyber- part of their job but was deemed more involved from a security breach cannot
criminals can then either cash them out important because Y occurred? be worked out in the limited time before
themselves, which is rare, or they then sell Card replacement is often the biggest any type of trial is set up. Hackers would
the data on criminal forums. In my expe- trackable cost with some figures report- not even be in a position to pay back
rience there are very few all-rounders that ing $25 per card and linking directly to single percentages of the total cost, let
know how to steal data and then how to the items stolen. Also trackable are legal alone say 50%, he says.
cash out. Often they sell the data to oth- fees and costs for outside vendors to The key problem is not being able
ers who then cash out. investigate the matter as well as mitigate to actually determine what was taken,
11
June 2014 Computer Fraud & Security
FEATURE
statements made by organisations after train an employee how to close the till highly effective at addressing this chal-
a breach are usually along the lines that after each transaction but not on how to lenge in a cost effective way.
We think X amount of data was compro- respond to a fire alarm? Probably not.
mised. Without knowing exactly what X Throwing extra equipment at it is not Conclusion
is the cost cant be truly determined. always the answer. In fact, most of the
Berman at Stroz Friedberg does not dis- latest equipment is about threat intel- Others believe that a more cost-effective
count the role of insurance but cautions ligence so that current systems can be way of containing the costs of being
that care must be taken: Cyber insurance updated to recognise potential threats, hacked includes spending more money on
has an important part to play in any risk but again it requires a human to respond people. Businesses of all size must take
mitigation strategy but as with any type appropriately. a more proactive approach to improving
of insurance, policies are written in many It has since been reported that the their security, says Simon Godfrey, sales
different ways and cover different aspects 60,000 accesses represented around director, security at MTI. Its imperative
of a breach. It is, therefore, necessary to 1% of the events logged, and although to assess corporate data and consider which
ensure the cover is tailored to the specific alarms were triggered, the retailers secu- data is critical, what the value of that data
needs and exposure of each business. rity systems did not identify the activity is and who might want it. But for organi-
as malicious. According to a report by sations to be prepared for attacks and
Neiman Marcus, and consultancy Protivity, Neiman Marcus avoid costly data breaches, they also need
was in compliance with data protection to understand the methods and techniques
why you should check standards at the time. that cyber-criminals are utilising to infil-
your logs Shawn Modarresi, president of cyber- trate their corporate systems.
After the high profile data breach at security company OxCept, comments: He adds: User education is also an
Neiman Marcus, it emerged that the Securing systems to curtail intruders is extremely important part of improving
hackers who breached the firms payment not an expensive proposition. A lot of the security. The vast majority of breaches
systems set off hundreds of alarms dur- servers and POS systems being utilised can be avoided or minimised through
ing the 60,000 times that they accessed today are either outdated or do not have improved education of employees and
the companys networks. Expert observ- the proper controls in place. Engineering users, but less than 1% of security budg-
ers have questioned the logic of investing departments need to do a lot more R&D et is spent on it.
in security systems that appear to have when it comes to understanding what Much of the cost arising from a data
been simply ignored. is needed in order to stop hackers from breach is not inevitable and costs can
The best, most expensive system in getting into networks. In the example of be contained by prompt and efficient
the world is useless if the people man- Neiman Marcus it is coming to light that handling of a data breach. This is much
ning it dont know what to do or dont not only did their back-end not have a more likely to occur if organisations pre-
respond to the alerts when they occur: sufficient security protocol but systems in pare for what some observers see as the
60,000 alerts for NM is a lot of alerts place were outdated. inevitability of a data breach.
and you have to wonder why they were
missed. Did the team not understand Security intelligence More than ever, prepar-
the alerts? Was the team not trained ing for an attack must
properly? says Hilbert. Martin Borrett, director, IBM Institute include sealing-off damage
for Advanced Security recommends that and more rapidly restoring
Most of the latest equip- organisations strive towards security systems to trusted states.
ment is about threat intel- intelligence. There is no silver bullet in IT
ligence so that current sys- Security intelligence helps to remove security companies should
tems can be updated to rec- false positives and focus valuable prepare for when they will
ognise potential threats, but resources and efforts into a set of focused be the subject of a targeted
again it requires a human to actionable events and alerts, he says. attack not if
respond appropriately When properly implemented, security
intelligence can give visibility and insight Sean Newman, field product manager,
He adds: Every company needs to into the behaviour of insiders and hack- Cisco, says: No security plan is perfect,
educate its employees about the risks at ers breaking in from the outside. yet many organisations still do not fac-
a personal level and it will flow down to He believes that more intelligent secu- tor the inevitability of compromises into
the corporate world. These training costs rity tech has a part to play. Solutions their overall defence strategies, instead
are part of doing business. Would you exist in the marketplace today that are focusing on what must be done to keep
12
Computer Fraud & Security June 2014
FEATURE
every conceivable type of threat at bay. says. However, there is a real risk that References
This is reinforced by a reflexive assump- some executives may learn the opposite
tion that new technologies can close lesson the hackers are too good to 1. 2013 Cost of Data Breach Study:
every gap attackers need. Yet, research stop, so there is no sense investing too Global Analysis. Benchmark research
consistently reveals why some attacks can much trying to prevent a hacking. This sponsored by Symantec, con-
routinely bypass updated layers of net- sense of fatalism is extremely dangerous ducted by Ponemon Institute. May
work and endpoint security products. and false. 2013. Accessed May 2014. https://
He adds: More than ever, preparing www4.symantec.com/mktginfo/
for an attack must include sealing off About the author whitepaper/053013_GL_NA_WP_
damage and more rapidly restoring sys- Tracey Caldwell is a freelance business tech- Ponemon-2013-Cost-of-a-Data-
tems to trusted states. There is no silver nology writer who writes regularly on security Breach-Report_daiNA_cta72382.pdf.
bullet in IT security companies should issues. She is editor of Biometric Technology 2. Dignan, L. Target CIO Jacob
prepare for when they will be the subject Today, also published by Elsevier. resigns following data breach. www.
of a targeted attack not if. zdnet.com/target-cio-jacob-resigns-
Berman cautions that acceptance of Resource following-data-breach-7000027020/.
the inevitability of data breach should U {
v>> i>V-` Accessed April 2014.
not be conflated with helpless fatalism. Ponemon Institute, sponsored by 3. DigiNotar. Wikipedia. Modified
Growing awareness of the potential IBM. May 2014. http://www-935. 20 Apr 2014. Accessed May 2014.
impact of a data breach will inevitably ibm.com/services/us/en/it-services/ http://en.wikipedia.org/wiki/
spur some corporates into action, he security-services/cost-of-data-breach/. DigiNotar.
13
June 2014 Computer Fraud & Security