FEATURE

The true cost of being

hacked
Tracey Caldwell, freelance journalist Tracey Caldwell

Putting a figure on the cost of data breaches is akin to nailing jelly to a wall.
Yet as enterprises attempt to insure themselves against losses and CISOs fight
for budget, it is increasingly important to work out the financial impact of a and carried out in conjunction with
data breach on the organisation. Infosecurity Europe, found the average
cost of the worst security breach for small
A number of people have attempted to direct and indirect expenses incurred by organisations was 35-65,000 and for
cost out the losses from a data breach the organisation. Direct expenses include large organisations was in the range 450-
incident. But is everything factored in? engaging forensic experts, outsourcing 850,000. The vast majority of these were
What about legal costs, for example? hotline support and providing free credit through cyber-attack by an unauthorised
Research company Ponemons The Cost monitoring subscriptions and discounts outsider. Several individual breaches cost
of a Data Breach report found that for future products and services. Indirect more than 1m.
German and US companies had the most costs include in-house investigations and Andrew Miller, PwC information secu-
costly data breaches ($199 and $188 communication, as well as the extrapolated rity director, says: Organisations need to
per record, respectively).1 It found that value of customer loss resulting from turn- make sure that the way they are spending
the average UK firm could be liable for over or diminished acquisition rates. their money in the control of cyber threats
costs of over 2m should it fall victim to PwC has also had a shot at costing data is effective. Spending on cyber control as a
employee negligence or malicious attack. breaches. Its 2013 Information Security percentage of an organisations IT budget
Ponemon explains that to calculate the Breaches Survey funded by Department is up this year from an average of 8% to
average cost of data breach, it collected the for Business, Innovation and Skills (BIS) 10%, but the number of breaches and
their impact is also up as well, so it is clear
that there is work to be done in measuring
the effectiveness of the security spend.

Heaviest sufferers
According to a recent Dell Software secu-
rity survey, the average cost of security
threats in the UK currently stands at
$793,747. This chart shows the aver-
age costs of security threats globally.
The UK is the third-highest sufferer of
security threats, with Germany and the
US the heaviest suffers of security attacks.
Canada has the lowest spend on its IT
security, yet it sees the lowest number of
attacks.
Dell has found that the UK spends
11.6% of it overall IT budget on security,
while the US spends a larger 20.7% of
its overall IT budget. However the survey
discovered that 68% of UK respondents
are planning to increase their spend on
Average per capita cost of a data breach in the UK over seven years: Source: Ponemon Institute/IBM.
IT security in the next two to three years

8
Computer Fraud & Security June 2014
 FEATURE

and 79% will be placing security as a top

priority within the next year.
The security survey covered many dif-
ferent business sectors, including govern-
ments, financial, education, healthcare,
and retail. The global average cost of a
security breach sets organisations back
$917,884, with the healthcare sector suf-
fering the most.
In Europe the cost of a data breach
looks set to rise. The new EU Data
Protection reform, if made law, will
require businesses to be fined up to 2%
of their global annual turnover. The
European Parliament has even proposed
to raise the sanctions to 5%.
Seth Berman, UK executive managing
director of Stroz Friedberg, comments:
Nobody has real numbers on this. Even
an organisation that has suffered a breach Average total organisational cost of a data breach in the UK over seven years. Source: Ponemon
Institute/IBM.
would find it difficult to put an accurate
figure on the total cost, which would be to suppliers, customers, regulators and dwarfs all of the other costs think of the
influenced by factors such as the timing of others. In many instances, the investiga- impact on a retailer whose breach might
the announcement. For example, the deci- tion into the cause of a breach reveals the be revealed just before the busy Christmas
sion to disclose details of a breach in the need for a radical upgrade of existing IT shopping season, or a law firm whose
run-up to a busy trading period could have network systems to ensure that a similar clients came to believe that it could no
a significantly different impact on the over- incident does not happen again. longer be trusted with their secrets.
all cost, compared to the same incident He concludes: Perhaps the most sig-
happening at a different time of the year. nificant cost from a data breach and the The price tag of retail
He adds: It is extremely difficult very hardest to measure can be the lost
to calculate a true total cost for data business that is caused by the reputation
attacks
breaches for three reasons. First, each damage of the public announcement of The recent hacking attacks on major
incident is unique and may impact a the breach. In many incidents, this cost retail chains in the US, namely Target
victim in different ways. Second, it is
very difficult for a victim to ever truly
know the cost the breach might have on
third parties. Finally, breaches often have
very significant secondary costs say, the
loss of business in the wake of the public
announcement of the breach. These sec-
ondary costs are hard to accurately meas-
ure. Thus, rather than providing a mon-
etary cost, it might be easier to think
about the different categories of cost that
a large scale hacking typically causes.
The first type of cost is the direct cost,
which is the cost of engaging law firms,
security experts, PR consultants and oth-
ers to deal with the immediate response
to a data breach. Next comes the cost of
fines and compensation to the victims of
The annual cost of security threats. Source: Dell.
the breach, which can include payments

9
June 2014 Computer Fraud & Security
 FEATURE
Cost of security threats by business sector: Source: Dell.
and Neiman Marcus, have had a
wide-ranging impact, costing banks,
credit unions, insurers and other
financial institutions hundreds of mil-
lions of dollars. According to the US
Consumer Bankers Association (CBA),
the Target breach alone cost $200m
just to start replacing customers pay-
ment cards.
Per capita cost of a breach by industry classification of benchmarked UK companies. Source:
Ponemon Institute/IBM.
10
Computer Fraud & Security
The Independent Community Bankers
of America (ICBA), which represents
smaller and local banks, says its members
have spent $40m replacing four mil-
lion cards after the Target and Neiman
Marcus breaches. In addition to these
card replacement costs, the banks may
also need to refund fraudulent transac-
tions made on the accounts.
In March 2014, Target CIO Beth
Jacob resigned to be replaced by a new
dedicated chief information security
officer position (CISO) and a new chief
compliance officer (CCO) and the tab
for Targets data breach had mostly been
covered by insurance, reports ZDNet.2
The costs for the fourth quarter were
$61m, but $44m was covered by insur-
ance. It is unclear whats going to hap-
pen to premiums. Then there will be
remediation costs although an interest-
ing question here is whether a good part
of these costs come from installing secu-
rity it should have had in the first place.
Mark Koek at the Forum of Incident
Response and Security Teams (FIRST),
which consists of Internet emergency
response teams from more than 200 cor-
porations, government bodies, universities
and other institutions worldwide, believes
it is simply not possible to put a precise
value on the cost of a data breach incident.
Even in the extreme example of
DigiNotar, it is impossible to quantify the
damage done, he says.3 This incident
in 2011 caused bankruptcy, so you could
say that the cost amounted to the value
of the entire company. However, there are
also external parties that suffered damages
through data theft, and these damages are
extremely hard to calculate.
He adds: As a result of the DigiNotar
breach, the GMail accounts of 300,000
Internet users in Iran were accessible to
the government for a short period of
time. But there is no way of knowing
the consequences that had and con-
tinues to have for those people, or of
being able to put a precise value on it.
Andy Crocker, founder and CEO of
Protect 2020, is a former officer with the
UK National Hi-Tech Crime Unit. In
this role he played a major part in inves-
tigating and helping to convict Russian
organised criminal groups attacking UK
and European companies through the
Internet. He also worked for SOCA,
the UK government law enforcement
agency, in its e-crime directorate and has
developed advanced methods for com-
bating Internet attacks. Crocker believes
June 2014

the true cost of such complex incidents
with wide repercussions may never be
known.
In my opinion it is very difficult to
factor everything in, the variables are too
great, he says. The loss of customer
confidence and therefore their loyalty
and retention is almost impossible to
put an accurate figure on. You also need
to add in the cost of new mitigation or
defence systems and training needed to
prevent another attack.
Recouping losses
If the criminals are caught there is the
possibility that losses may be covered,
but the possibility is slim. If convicted
cyber-attackers are in the same country
as the victim and there are assets that
can be seized then this is a relatively easy
process for the police and the courts,
says Crocker. Such an occurrence is
rare, however, because cyber-criminals
are normally based in other countries
and the fact is not that many fraudsters
get caught. The police will promote the
arrests of those convicted but generally
they are the mules that are used to cash
out. Very rarely are they the real criminal
who stole the money.
Crockers investigations of criminal
groups attacking UK and European
companies through the web identified
three types of cyber-criminals: the mon-
ey-motivated, the ego-motivated and
those who are politically motivated.
For criminals motivated by money,
financial gain is the prize, he says.
However, it is very unusual for them to
try and steal money directly. Personally
I have only dealt with a couple of cases
that have done so. In the main they target
financial details including bank account
details or credit card details. Cyber-
criminals can then either cash them out
themselves, which is rare, or they then sell
the data on criminal forums. In my expe-
rience there are very few all-rounders that
know how to steal data and then how to
cash out. Often they sell the data to oth-
ers who then cash out.
June 2014
The value of a hacked PC to cyber-criminals. Based on data by EJ Hilbert.
In his opinion the real costs of being
hacked result from loss of reputation
and the loss of customer confidence. The
problem is also that these are areas that
are hard to place a financial figure on
but can cost the company much more
than the initial hack.
Customer retention
EJ Hilbert, head of cyber investigations
at Kroll, points out that the cost of a
breach is shared by several players, not
just the firm that lost the data but by the
people whose information was stolen,
the companies who secured it and the
companies with whom the victim may
have had a relationship.
Before joining Kroll, Hilbert spent
eight years as a Special Agent for the FBI,
and led large cybercrime investigations
addressing the computer intrusion, theft
of data and extortion of over 600 finan-
cial institutions. Costs to third parties
and partners are very difficult to track
because they are not always tangible, he
explains. How do you track reputational
damage? Or claim that this man hour was
spent addressing X which isnt normally
part of their job but was deemed more
important because Y occurred?
Card replacement is often the biggest
trackable cost with some figures report-
ing $25 per card and linking directly to
the items stolen. Also trackable are legal
fees and costs for outside vendors to
investigate the matter as well as mitigate
FEATURE
the risk of a breach reoccurring. But most
companies dont like to list all the costs as
it means they might have to reveal more
problems to the media or public.
There is also a cost associated with digi-
tal forensics to find out how the breach
occurred and/or who was responsible.
The cost of forensics will vary depending
on the amount of data, systems and peo-
ple involved, says Hilbert. If you think
of it in man hours, 1GB is approximately
50,000 pages of paper. How long will it
take one person to review those pages?
Even with software doing it, a human has
to review the results, narrow the searches
and follow the trail as the data moved
through systems. Most desktop comput-
ers have 500GB capacities and servers are
in the terabytes.
Insuring losses
The challenge of assessing the potential
cost to an organisation of a data breach
can have serious implications when try-
ing to insure against losses. Mark James,
technical director at ESET UK, believes
that insurance wont come even close to
recouping losses: The financial damage
involved from a security breach cannot
be worked out in the limited time before
any type of trial is set up. Hackers would
not even be in a position to pay back
single percentages of the total cost, let
alone say 50%, he says.
The key problem is not being able
to actually determine what was taken,
11
Computer Fraud & Security
 FEATURE
statements made by organisations after
a breach are usually along the lines that
We think X amount of data was compro-
mised. Without knowing exactly what X
is the cost cant be truly determined.
Berman at Stroz Friedberg does not dis-
count the role of insurance but cautions
that care must be taken: Cyber insurance
has an important part to play in any risk
mitigation strategy but as with any type
of insurance, policies are written in many
different ways and cover different aspects
of a breach. It is, therefore, necessary to
ensure the cover is tailored to the specific
needs and exposure of each business.
Neiman Marcus, and
why you should check
your logs
After the high profile data breach at
Neiman Marcus, it emerged that the
hackers who breached the firms payment
systems set off hundreds of alarms dur-
ing the 60,000 times that they accessed
the companys networks. Expert observ-
ers have questioned the logic of investing
in security systems that appear to have
been simply ignored.
The best, most expensive system in
the world is useless if the people man-
ning it dont know what to do or dont
respond to the alerts when they occur:
60,000 alerts for NM is a lot of alerts
and you have to wonder why they were
missed. Did the team not understand
the alerts? Was the team not trained
properly? says Hilbert.
Most of the latest equip-
ment is about threat intel-
ligence so that current sys-
tems can be updated to rec-
ognise potential threats, but
again it requires a human to
respond appropriately
He adds: Every company needs to
educate its employees about the risks at
a personal level and it will flow down to
the corporate world. These training costs
are part of doing business. Would you
12
Computer Fraud & Security
train an employee how to close the till
after each transaction but not on how to
respond to a fire alarm? Probably not.
Throwing extra equipment at it is not
always the answer. In fact, most of the
latest equipment is about threat intel-
ligence so that current systems can be
updated to recognise potential threats,
but again it requires a human to respond
appropriately.
It has since been reported that the
60,000 accesses represented around
1% of the events logged, and although
alarms were triggered, the retailers secu-
rity systems did not identify the activity
as malicious. According to a report by
consultancy Protivity, Neiman Marcus
was in compliance with data protection
standards at the time.
Shawn Modarresi, president of cyber-
security company OxCept, comments:
Securing systems to curtail intruders is
not an expensive proposition. A lot of the
servers and POS systems being utilised
today are either outdated or do not have
the proper controls in place. Engineering
departments need to do a lot more R&D
when it comes to understanding what
is needed in order to stop hackers from
getting into networks. In the example of
Neiman Marcus it is coming to light that
not only did their back-end not have a
sufficient security protocol but systems in
place were outdated.
Security intelligence
Martin Borrett, director, IBM Institute
for Advanced Security recommends that
organisations strive towards security
intelligence.
Security intelligence helps to remove
false positives and focus valuable
resources and efforts into a set of focused
actionable events and alerts, he says.
When properly implemented, security
intelligence can give visibility and insight
into the behaviour of insiders and hack-
ers breaking in from the outside.
He believes that more intelligent secu-
rity tech has a part to play. Solutions
exist in the marketplace today that are
highly effective at addressing this chal-
lenge in a cost effective way.
Conclusion
Others believe that a more cost-effective
way of containing the costs of being
hacked includes spending more money on
people. Businesses of all size must take
a more proactive approach to improving
their security, says Simon Godfrey, sales
director, security at MTI. Its imperative
to assess corporate data and consider which
data is critical, what the value of that data
is and who might want it. But for organi-
sations to be prepared for attacks and
avoid costly data breaches, they also need
to understand the methods and techniques
that cyber-criminals are utilising to infil-
trate their corporate systems.
He adds: User education is also an
extremely important part of improving
security. The vast majority of breaches
can be avoided or minimised through
improved education of employees and
users, but less than 1% of security budg-
et is spent on it.
Much of the cost arising from a data
breach is not inevitable and costs can
be contained by prompt and efficient
handling of a data breach. This is much
more likely to occur if organisations pre-
pare for what some observers see as the
inevitability of a data breach.
More than ever, prepar-
ing for an attack must
include sealing-off damage
and more rapidly restoring
systems to trusted states.
There is no silver bullet in IT
security companies should
prepare for when they will
be the subject of a targeted
attack not if
Sean Newman, field product manager,
Cisco, says: No security plan is perfect,
yet many organisations still do not fac-
tor the inevitability of compromises into
their overall defence strategies, instead
focusing on what must be done to keep
June 2014

every conceivable type of threat at bay.
This is reinforced by a reflexive assump-
tion that new technologies can close
every gap attackers need. Yet, research
consistently reveals why some attacks can
routinely bypass updated layers of net-
work and endpoint security products.
He adds: More than ever, preparing
for an attack must include sealing off
damage and more rapidly restoring sys-
tems to trusted states. There is no silver
bullet in IT security companies should
prepare for when they will be the subject
of a targeted attack not if.
Berman cautions that acceptance of
the inevitability of data breach should
says. However, there is a real risk that
some executives may learn the opposite
lesson the hackers are too good to
stop, so there is no sense investing too
much trying to prevent a hacking. This
sense of fatalism is extremely dangerous
and false.
About the author
Tracey Caldwell is a freelance business tech-
nology writer who writes regularly on security
issues. She is editor of Biometric Technology
Today, also published by Elsevier.
Resource
U {
FEATURE
References
1. 2013 Cost of Data Breach Study:
Global Analysis. Benchmark research
sponsored by Symantec, con-
ducted by Ponemon Institute. May
2013. Accessed May 2014. https://
www4.symantec.com/mktginfo/
whitepaper/053013_GL_NA_WP_
Ponemon-2013-Cost-of-a-Data-
Breach-Report_daiNA_cta72382.pdf.
2. Dignan, L. Target CIO Jacob
resigns following data breach. www.
zdnet.com/target-cio-jacob-resigns-
following-data-breach-7000027020/.
v>> i>V-` Accessed April 2014.
not be conflated with helpless fatalism.
Growing awareness of the potential
impact of a data breach will inevitably
spur some corporates into action, he
Ponemon Institute, sponsored by 3. DigiNotar. Wikipedia. Modified
IBM. May 2014. http://www-935. 20 Apr 2014. Accessed May 2014.
ibm.com/services/us/en/it-services/ http://en.wikipedia.org/wiki/
security-services/cost-of-data-breach/. DigiNotar.

Safeguarding the future

of the Internet
Axel Pawlik, RIPE NCC
Axel Pawlik
The Internets founding principles of openness and freedom have seen it grow
into an incredible tool that is changing lives and connecting people around the
world. With the Internet impacting everything from business and entertainment Recently, organisations that had pre-
to education, health, art and science, its vital that this resource remains open viously avoided commenting on this
and secure for the billions of people who now rely on it in their daily lives. Yet controversial topic, including Facebook,
there are several areas of significant concern, one of the most central being pri- Google and Microsoft, have spoken out
vacy. This issue has been debated since the Internets inception and it remains a
about the need to protect individuals pri-
point of focus in the industry today, presenting an undeniable challenge as our
reliance on the Internet grows. vacy on the Internet. Their comments can
be seen as a response to growing concerns
aged the direct access the NSA has to the about security and protection for users on
Stark relief
Internets key pipelines and then used websites and social media.
Last year, revelations about the online court orders authorised by the Foreign In a separate event in October 2013,
surveillance activities of the US National Intelligence Surveillance Act (FISA) to col- Adobe confirmed that private information
Security Agency (NSA) brought ques- lect specific data from technology compa- regarding 2.9 million customers had been
tions about privacy into stark relief. It nies. While legal and ethical deliberations stolen during a sophisticated cyber-attack
was discovered that the NSA had co- were debated throughout the media, it on its website. This is just one of many
ordinated a global programme called also brought fresh concerns to the fore- recent examples of high-profile hacks
PRISM to access the contents of emails front of the minds of consumers and the making individuals personal informa-
and live chats held by the worlds major general public. Also noteworthy were later tion available and leaving users exposed
Internet companies, including Google, revelations concerning the activities of the and vulnerable. Adobe was praised for
Facebook and Skype. UK counterpart, GCHQ, including its its swift and effective response, apologis-
The NSA also collected search histories co-operation with the NSA to circumvent ing to its customers and providing them
and details of file transfers. PRISM lever- legal restrictions on surveillance. with a one-year subscription to a credit-

13
June 2014 Computer Fraud & Security