|
|
07-09-2008
Registered User
26,240,
27
Are we crying wolf?
A short article by David Hobson on the Catalogue eBusiness site caught my imagination this morning. David deconstructs the costs that an organization incurs when it suffers a major information security breach. Summarizing and paraphrasing the article, the identified costs break down as follows:
The examples David uses to illustrate his points are mostly business-to-consumer retailers who have suffered major credit card database breaches, the kinds of thing that hit the headlines and end up being listed at the Privacy Rights Clearinghouse. The actual costs would be different in each case of course, and perhaps significantly different in breaches affecting other types of organization. A financial services company - a bank for example - would probably swallow the obvious/direct/tangible costs with hardly a thought but the concealed/indirect/intangible costs could cripple its future business prospects, since "protecting your money" is so obviously a central plank of its value proposition to customers. Similarly, business-to-business companies that typically depend on relatively fewer but larger/more valuable relationships with customers, partners and suppliers, may suffer disproportionately through brand and relationship damage. I'll leave you to think about the nature of costs at yet other types of organization: SMEs, manufacturers, military units, charities, technology companies, information security specialists ... there's an endless variety to ponder.
Looking back at David's list of costs, it occurs to me that there are numerous entries missing, some of which could be significant:
And to be fair, there are potential upsides to incidents too:
Finally, looking at the big picture, I'm left reflecting on how closely breach costs typically projected by information security and risk management professionals (like us) reflect what actually occurs in practice. As with the oft-repeated claims about a significant proportion of organizations without contingency plans going bust after a major incident or disaster, I'm wondering how accurate our predictions are, in fact. Most organizations seem to suffer relatively short term impacts even from major breaches, and pretty soon the world moves along. The news media and stock markets, if not the individual victims, seem to forget quite quickly. The credit card machines at TKMaxx are buzzing again. I wonder what proportion of the general public even understands, let alone cares, about such incidents given that the banks and credit card companies seem so happy to indemnify them.
Infosec/risk professionals are naturally cautious by nature, cynical and perhaps slightly paranoid in outlook. We're trained and paid to look on the dark side. The open question in my mind is: do we go too far? Is the dark side quite such a deep shade of black in reality? Or are we crying wolf?
Kind regards,
Gary
Gary Hinson
Passionate about security awareness
www.NoticeBored.com Creative awareness materials
www.ISO27001security.com ISO/IEC 27000 standards
More...
- Obvious, direct or tangible costs such as:
- Replacing stolen equipment;
- Improving security controls to stop the losses and prevent recurrence;
- Notifying affected parties;
- Defense against litigation such as customer lawsuits, plus fines and damages;
- Further costs such as credit monitoring for affected customers and fraud settlements with banks/credit card companies;
- Concealed, Indirect or intangible costs such as:
- A share price dip (albeit typically rather short term);
- Reputation and brand damage negating prior marketing investments and necessitating increased marketing expenditure in an attempt to restore brand value;
- Customer erosion i.e. lost sales.
Looking back at David's list of costs, it occurs to me that there are numerous entries missing, some of which could be significant:
- Press releases, publicity, promotional and legal activities to explain and ideally mitigate the immediate damage, even before commencing the brand rebuilding phase;
- Investigation, forensic analysis and legal costs associated leading perhaps to prosecution for the perpetrators (many of these costs will be incurred even if there is little prospect of prosecution, just in case it ever comes to court);
- A dip in management and staff confidence, leading to low morale, reduced productivity, diversion of efforts towards the breach containment and fix, and perhaps resignations of key people (whether forced or voluntary, directly implicated in the breach or 'collateral damage');
- Reduced applications for job vacancies from quality candidates scared off by the incident and surrounding publicity;
- Reduced investment in planned or potential new business initiatives, whether because of a lack of funding or through 'reprioritization of budgets' to focus on restoring security, confidence and brand value, leading perhaps to a reduction in market advantage;
- Increased charges from auditors and other expert advisors, some directly addressing the breaches and controls, others involved in conducting broader governance and security reviews, offering security and marketing advice etc.;
- Increased cost of capital, due to patently increased risks evidenced by reductions in the share price, brand value, stakeholder confidence etc., increasing downstream borrowing costs;
- Opportunistic exploitation by companies offering 'quick-fix solutions' to stem the bleeding without actually addressing the underlying illness;
- Costs to other victims besides the organization - identity theft, fraud and general grief shold not be underestimated for these collateral victims;
- Negative impacts on society at large, such as a generalised reluctance to use credit cards, online banking etc., increasing costs for face-to-face financial transaction processing and technophobia.
- Increased transparency to customers and other stakeholders through 'coming clean' about the incident, with the implication that perhaps the organization is going to be more honest and open in future;
- Better management appreciation of information security risks, hopefully with increased investment in information security risk management and controls in general, leading to a broader reduction in costs and losses through all security breaches (including relatively minor ones that never make the headlines, such as 'insider threats');
- Replacement of outdated equipment, software and controls with more modern, efficient and effective ones (well possibly!).
Infosec/risk professionals are naturally cautious by nature, cynical and perhaps slightly paranoid in outlook. We're trained and paid to look on the dark side. The open question in my mind is: do we go too far? Is the dark side quite such a deep shade of black in reality? Or are we crying wolf?
Kind regards,
Gary
Gary Hinson
Passionate about security awareness
www.NoticeBored.com Creative awareness materials
www.ISO27001security.com ISO/IEC 27000 standards
More...