Security incidents generally tend to stem from some sort of identity related failure or oversight. For example, credential misuse or the wrong employee having access to information or a phishing attack that results in an attacker gaining privileged access into the network. Many have attempted to put a price tag to data breaches as a way to encourage organisations to embrace the philosophy that security ultimately has a great return on investment.
And with these incidents now a growing inevitability for any organisation, security professionals sometimes use these metrics to support decision making. They need to have an idea of what a potential breach could cost to assess how much to spend to prevent it from happening, and to help justify security spending to the Board.
Data breach checklist
When calculating the potential cost of a data breach for your own organisation, consider the following checklist:
- If a breach occurs, are we legally required to notify our customers? How do we do that (e-mail, phone, postal mail, registered mail)? What does it cost in time, labor, materials?
- If we notify our customers and every 10th calls our tech support, do we need to temporarily increase the number of CSRs? What will that cost (e.g. in HR costs, overtime, etc)? What if every 5th calls? What if every other?
- If the breach results in financial damage to our customers, are we liable to compensate them?
- If we are dealing with credit cards and they need to be cancelled, what will cancellation/card reissuing cost?
- What is our average cost of acquiring a new customer? If that increases n per cent for the next year, how much does that cost?
- What is the current churn rate? How much does it cost if it increases n per cent?
- Are we willing to offer some compensation to affected customers? If so, what? What does it cost (per customer)?
- In the event of identity theft, are we going to offer credit monitoring to affected customers? For how long? What does that cost?
- Can we expect to be fined by a regulator? If so, what is the fine amount in a worst case?
- Is there a law mandating personal liability of management? Will someone go to jail?
- Is there a contractual penalty that needs to be paid in the event of a breach (e.g. to a business partner, customers, vendor/supplier, a credit card company, etc)? If so, to whom and what is the amount?
- Will external forensics experts need to be pulled in to help in the breach investigation? How much does that cost?
- If a breach happens, can we continue our operation while the after-the-breach investigation/forensics process is taking place, or do we need to suspend operation (even if partially)? How much revenue are we losing by that (e.g. per day)?
- After a breach, it is usually inevitable to rebuild (at least some of) the affected IT systems and verify the integrity of records. What are the related costs (including hardware rental, labour, time and materials, as well as revenue lost if the compromised system must be brought offline, etc)?
- Will we need to pull in external legal assistance? What is the estimated cost?
- Will external PR/communications experts need to be pulled in to help contain the damage? What is the cost?
- What is the percentage of customers that is likely to sue in the event of a breach? How much would that cost in legal costs and damages paid?
- How will the breach affect the short-term share price of the organisation? What financial effect does a sudden drop in share price have? What if the breach happens just as management is in the middle of talks about a merger/acquisition?
- If trust is severely broken and customers react en masse, what effect does that have on the liquidity of the company?
Weigh these numbers up against doing the right thing
If the above (not exhaustive) list has left your head spinning, let’s harp back to the first point made in this article: most data breaches stem from some sort of identity failure or oversight. Therefore, it would make sense for organisations to start with identity at the very heart of any security strategy.
This could encompass four main areas:
Identity administration, or how companies create new, modify or delete existing identities or user accounts; and how they manage security entitlements associated with those identities/users.
Identity governance, or the policies that make up the centralised orchestration of user identity management and access control. Identity governance helps support enterprise IT security and regulatory compliance.
Privileged Account Management that encompasses the management of those accounts which control the rest, as well as the organisation’s most critical systems - much like the keys to the kingdom.
Account Lifecycle Management which covers the processes around provisioning and deprovisioning user accounts.
Whether it’s improving identity administration, access control or tightening up on privileged account management, any improvements in just one of these crucial areas will see companies dramatically reduce the eventuality of a data breach. And in the event the organisation does get breached, the impact can be kept to a minimum. For example, even if malicious actors do get into non-critical systems through a user account, if privileged account management is buttoned up, it prevents them from pivoting into more critical systems.
Organisations will always have to make tough choices about risks they are willing to accept. By weighing up the potential damage of a data breach versus the spend they can make improving their identity practices, it could help make this significant business decision a no-brainer.
Todd Peterson, IAM evangelist, One Identity