The True Cost of Security Breaches

What does a security breach or malicious hacker attack actually cost? For organizations that lack a fully resilient infrastructure, the true costs can include operational interruptions, loss of customer trust, lawsuits and compliance regulation fines. 

Consider the costs an organization can expect to incur from ransomware. 

In March 2018, Atlanta’s city government was hit with a ransomware attack, in which criminals demanded roughly $51,000 in bitcoin to restore the city’s systems. Atlanta didn’t pay. 

Consequently, according to Engadget, more than one-third of the city’s necessary programs went offline or were disabled in part. Worse, Atlanta’s city attorney office lost six of its 77 computers and 10 years of documents. The Atlanta police department lost its dash cam recordings. Initially, the cost of recovering from the attack was an estimated $2 million—but that soon increased by another $9.5 million.  

Here are some examples of the hidden costs a security incident may bring, with tips on how to avoid them through business resilience best practices.  

Hidden security breach costs 

Emergency assistance from consulting firms. After a breach or attack for which you’re unprepared, you may need an outside consulting firm to help you bounce back. For instance, the city of Atlanta spent $600,000 with Ernst & Young for incident response consulting.  

Technology and security upgrades. A successful attack means the exposure of weak links in your security—which you’ll need to repair going forward. Equifax, which in September 2017 experienced what’s probably the costliest data breach in history, was forced to upgrade its technology and security infrastructures. Its ongoing IT and data security costs related to the breach were $45.7 million in the first quarter of 2018 alone. 

For lessons learned from the Equifax breach, see our blog post “The Equifax Breach: No More Excuses.” 

Legal fees. Your organization may be vulnerable to class-action lawsuits or other legal action stemming from data privacy leaks. Following its 2015 breach, Anthem was liable for more than $33 million in attorney fees and expenses, according to Big Law Business. That’s in addition to pay outs to class-action plaintiffs, which in Anthem’s case included $7,500 each for 29 individuals and $5,000 each for 76 plaintiffs.  

Insurance deductibles. Insurance against losses from cyberattacks and breaches is a growing market. But like most insurance policies, organizations may have to pay a deductible. Equifax’s deductible was $7.5 million.  

Crisis communications and PR. After an attack is discovered, organizations should get the word out in a timely manner, which may mean engaging a crisis communications PR firm. Atlanta spent $50,000 hiring such a firm after its ransomware attack.   

Regulatory compliance penalties or fees. With new data privacy regulations such as Europe’s GDPR, organizations can face stiff penalties if personal data isn’t adequately protected. Infringement fines can go up to 20 million euros.  

See “What Does the GDPR Mean for Your Business?” for more information.  

Damage to reputation and brand. This side effect of a data breach can be difficult to predict or estimate. But here’s one example: In February 2017, Verizon reduced its offer to acquire Yahoo by $350 million after Yahoo had disclosed two significant data breaches.  

But that’s not all. Other hidden costs may include:  

• Notifying customers via email, letters, phone calls 
• Increase in calls to help desk and customer support  
• Cost of business disruption and revenue losses from downtime 
• Loss of customers and inability to acquire new ones 

4 tips for avoiding attacks and breaches 

1. Cover the basics. Egress filtering. Keeping security updated. Deploying Multi-Factor Authentication (MFA). Encouraging users to take passwords seriously. These are all basic security practices your organization should implement to help prevent breaches.
   

2. Continually educate users about cyber security risks. Many cyber attacks and data breaches start with phishing emails that fool someone inside the organization into clicking a link they shouldn’t click.

Phishing messages are by design made to look authentic, slip by spam filters and appear to come from people the victim ‘knows’ due to spoofing. Social media accounts can also be used as a tool to tailor phishing messages specifically to the targeted employee, making it even harder to be identified by the naked eye. The most effective way to counter these type of attacks is to educate users and frequently test their awareness.  

3. Make incident response plans part of your resilience program. The quicker you can identify and respond to an attack, the more likely your organization can recover and stop an attacker from accessing sensitive data. A cross functional team of employees spanning IT security, legal, corporate communications, sales and human resources should be trained in what to do, in accordance with your incident response procedures.

4. Segment each division of your network. In addition to training employees about how to respond after an incident, you should also segment each division of your network. This way, if you experience a cyber-attack, you just need to identify the origin of the attack and shut off that single segment isolating it from the rest of the company. This minimizes the amount of sensitive data stolen and allows you to recover quickly and to continue with normal operations.
   

Network segmentation can be used to protect sensitive data and effectively thwart a cyber-attack. For example, a client of ours prepared their network by segmenting each division and trained their employees on the incident response procedures in the event of an attack. When the company experienced a cyber-attack it was able to quickly identify the origin of attack, shut off that single segment from the rest of the company, and recover quickly to continue operating as normal. Having a well-thought-out incident response plan that employees know how to execute properly is critical to business continuity.

Most recently, enterprises are increasingly leveraging micro-segmentation to create secure zones in data centers and cloud deployments for isolating and protecting workloads, as well as containers to isolate virtual machines to reduce the attack surface.  

In addition, you can improve resiliency via snapshots of files and storage, which will help you roll back to a predetermined Recovery Point Objective (RPO)—minimizing your exposure to data loss and its associated costs.  

For additional tips on avoiding cyber-attacks and protecting your organization against data breaches, consider reading these resources:  

Data breach responses: 4 ways the most resilient businesses handle hacks  

Do you know which of these cyber-attacks isn’t real?  

 6 Steps to Make Customers Less Vulnerable to Ransomware