The aftermath of a data breach can be measured in many ways, depending on who you are.
For those outside the organization, the public perception that an organization has been compromised, known as reputational damage, is often quoted as the most significant long-term aspect of a data breach.
To measure the effect of a breach on a company’s health, Comparitech analyzed the long-term impact on the share prices of breached companies. This research is nuanced and worth reading in full, but one of the headlines from the September 2019 edition is telling: after about a month, share prices rebound and catch up, on average, to NASDAQ performance.
The public confidence in a hacked company, compared to its peers, is not affected.
And most importantly, the companies keep operating. The companies in the analysis include many brands we continue to use every day in our digital lives: Yahoo!, eBay, LinkedIn and Facebook.
So what’s the real cost of a data breach?
According to research by Adrian Sanabria, a well-regarded former senior analyst in the information security community, there are a relatively small number of companies that are hacked out of existence. Examples of severe consequences for companies of all sizes are few and far between.
So for the board, it’s easy to under-estimate the impact of a breach by looking at share price or sales targets alone. However, the real impact and costs from loss of continuity go much further. For Kaspersky’s Global Corporate IT Security Risks Survey, organizations of all sizes across the globe were asked about the broader costs they have to deal with when recovering from attacks. For enterprises, it’s now, on average, a cool $1.4M to clean up a data breach.
Beyond the financials, if you want your decision-makers to see all the consequences of a compromise, there are other factors to review. These are harder to define in absolute numbers, but they all affect the company’s performance and reputation. Keep these points in mind when assessing risk or advocating for an additional budget for defense.
Internal reputation damage
The internal reputation of the security team can be hit hard. Regardless of the actual cause, they can be seen as responsible. This has even more risks to the long-term success of the team:
Loss of continuity
A CISO (Chief Information Security Officer) is often expected to resign after a significant breach; they carry the can as their position is viewed as taking responsibility for the failure. I would argue the removal of a single leader as a way to solve often systemic and complex problems is a strategy only good for Hollywood villains. Next time you’re at the cinema, notice how successful their organizations are by the end of the movie.
Scapegoating your CISO is an unwise strategy. It will take months, or even years, for the new CISO to be hired then acquire the knowledge of their predecessor, the established relationships, ways of working, and so on.
The new CISO, as with any incoming C-suite leader, tend to make changes to make their mark, which can cause further disruptions in continuity and additional strains on the InfoSec team.
Morale is tricky to measure and account for, but from the conversations I have with members of the InfoSec community, your IT staff can be despondent after a breach, particularly the security team. This may be in part due to the implication that their efforts didn’t protect the company, and in part, due to burnout from the increased efforts to recover after a breach.
The negative effect on Equifax staff is a particularly good example. Individuals were criticized in social media and even received death threats, and without appropriate support from the organization to safeguard team member’s reputations and mental health.
Increased auditor scrutiny
For both your internal audit teams and the third party auditors you bring in, they will all increase their efforts to ensure they’re not seen as missing something, and therefore being the party to blame for any future compromise. That sampling approach you used before that saved hours of unnecessary analysis? That won’t be allowed anymore.
More internal bureaucracy
Organizations often respond to a breach by imposing new requirements on all staff, rather than by making the existing requirements easier to understand and follow. This may increase your employees’ chances of understanding and following instructions or their willingness to bypass them to get their job done, which, in turn, could increase your organization’s exposure to risk.
So what should you do differently?
With all these potential consequences and risks, here are some tactics you could try to have a happier ending after a breach.
Keep your CISO
Unless the incident can be directly attributed to an irreversible failure on the part of the CISO, don’t fire them to appease customers or shareholders or any other aggrieved group holding a short-term view. Your CISO will have the experience and knowledge you need to see you through this issue. According to Kaspersky’s 2019 survey based on more than 20 personal interviews with CISOs, unless the incident was directly their fault, the majority felt their employer would support them.
Invest in building a cyber-aware culture
Strengthen cyber-awareness training for all employees. This can help your employees work together more effectively in the face of a common enemy (cybercriminals), and appreciate the difficulties the security team faces keeping the organization safe.
Plan your breach recovery strategy
The best time to prepare for your recovery from a breach is before it happens. Take one step today, maybe start to look at how your organization would detect a breach, or how you can test the detection capabilities you have.
Re-examine your existing strategies. For example, Kaspersky’s IT Security Economics report highlights the benefits of having a DPO (Data Protection Officer) and SOC (Security Operations Center) in reducing the financial impact of an incident.
When estimating impact, at any point before or after an incident, make sure you and your stakeholders appreciate these factors and consider them alongside the financial assessment. Ensure everyone has all the facts, not just those that are easiest to quantify.
Any organization today has to “assume breach,” from the smallest company keeping an offline backup away from the office to the largest enterprise looking to implement an advanced defense solution stack, which includes EDR (endpoint detection and response) and an anti-targeted attack solution.
But a side effect of this wise approach can be an undue pessimism about the effect of being compromised. By giving your CISO confidence to make longterm plans because they’ll survive short term problems, by improving the security awareness within your organization and by preparing in advance, you can make it through a compromise relatively unscathed.
With a more planned and supportive approach to safeguarding the reputation and strengthening the performance of your InfoSec team, you will build a more secure and resilient organization in the long run.
This article was published in Jan, 2020.