The cost of being hacked
All networks are at risk of breach, no matter how much cyber protection is thrown at them.
According to a recent study conducted by Kaspersky Lab, over 90% of the businesses that participated in the study admitted to a breach of network security integrity, and over 45% lost sensitive data due to the breach.
It stands to reason then, that all of our networks are at risk of breach, no matter how much cyber protection is thrown at them. But what is the cost of that breach? What do we measure, and where in our value chain do we look for impact? How will our reputation, client relationships, and operational environments be affected? How do we calculate the impact and devise an investment strategy to match?
If we were to take a 360 view of this topic: How much does it cost our clients when we let them down?
Three primary functional areas that would likely be impacted during and post a network security breach, include:
Financial - losing client contracts, loss in ROI for previous security investments, clients claiming damages, hiring specialists to assist with repairing the damage, loss in brand value, increased insurance costs, etc.
Operational - time lost by employees resolving and repairing, the adjustments required in governance practice, policies and process, impact to KPI metrics and other organisational performance measures, etc.
Reputation - brand image deterioration, PR nightmare, loss in customer confidence.
Down the rabbit-hole
To drill down a little further, when looking at the inputs to the financial risk, I would consider the following:
How much did it cost to win that client who now wants to cancel their contract due to the impact they felt when my network was breached? Do they want to claim damages? We all know it costs more to win a client than to keep one, but this instance may be the exception to the rule!
In determining an appropriate investment strategy for network security, first understand what the risk translates to in money, operational and relationship terms.
A network security strategy costs a bit of money. But smart companies would have outsourced to a specialist who should have carried most of the risk in the first place. Either way, there has been previous investment in security measures that need to be accounted for in calculating the overall costs of a breach.
Not to mention how much it will cost to: remediate the damage caused to core systems and data pools, software licence renewals/upgrades, HR costs for specialist consultants and employee overtime, etc.
What about the PR and advertising costs incurred to punt a positive message post the breach to help repair the damage to the brand, and communicate with clients?
If you already procured specialised insurance, the premiums are likely to increase. If you thought the business model/focus had no need for this added insurance expense, there is nothing like this rude awakening to sober you up!
Operational costs can become a little blurred, as they theoretically are "run-of-the-mill" anyway. But think about the overtime employees will likely have to put in to repair damaged systems, the impact on their morale, or their confidence in the integrity of their personal information stored in company records.
What about the effort by "management" having to relook or change how the organisation measures performance, success, or quality of work? The time and effort it takes to revamp operational process and policy, engage with vendors and legal teams?
In assessing reputational impact, you need to look at both sides of the coin:
Side 1: There will be backlash and negative impact to the company's reputation and brand image. That is inevitable.
Side 2: No such thing as bad PR. As bad as it gets (and it can get pretty bad - look at Sony still paying damages post its breach in 2014: around $171 million worth), this could represent an opportunity to showcase your remediation strategy. If well-prepared, the strategy includes post-impact recovery mechanisms like PR campaigns, client support actions, messaging strategies and the like. There is also the possibility of finally realising value from the company's spin-doctor.
Victory loves preparation
In determining an appropriate investment strategy for network security, first understand what the risk translates to in money, operational and relationship terms. Only once the company has a grasp of the scale of the impact, will it be able to mitigate the impact effectively.
I am a firm believer of casting the net as wide as possible. No such thing as too much information! And don't be afraid of the risk. It could represent an opportunity to showcase foresight and preparedness. Be positive about risk and stand firm on commitments to clients and to your survival as a business.
As Abraham Lincoln once said: ""Give me six hours to chop down a tree and I will spend the first four sharpening the axe."
In other words, and to quote a line from the movie "The Mechanic": "Victory loves preparation."
* The damage of a security breach: financial institutions face monetary, reputational losses. By Fran Howarth. 30 April 2015.
* Damage control: The cost of security breaches, Kaspersky Lab.
* Losses from security breaches becoming significant for firms, Ellyne Phneah, 11 June 2012.
* Coming into focus: Cyber security operational risk, Torsten George, 21 May 2015.
* 2015 cost of data breach study: Global analysis, benchmark research sponsored by IBM. Independently conducted by Ponemon Institute, May 2015.
* Cyber security: Operational impacts, 7 November 2014, Luke de Kretser.
Jared van Ast is the founder and MD of 10dot Cloud Security. He is frustrated with diluted value propositions, and he loves to do things properly. He is suspicious by nature and habitually pragmatic. Focused on network security, 10dot works to lock-up business networks and help them grow. With over 15 yearsâ experience in the IT and ISP sectors, Van Ast is hell-bent on enabling companies to focus on core business.