Breaches are not created equal
The business impact and cost of a breach are notoriously difficult to measure.
Each event can lead to direct and indirect costs that organisations need to consider and prepare for, notes Forrester.
These include response and notification, lost employee productivity and turnover, lawsuits and settlements, regulatory fines, security and audit requirements, brand recovery costs, as well as other unexpected liabilities.
The costs, moreover, can accrue right after the event, or occur years after, reports Forrester analyst Heidi Shey in The Business Impact And Cost Of A Breach Business Case: The Data Security And Privacy Playbook.
The Forrester report says security and risk leaders must educate business executives about the range of potential costs of a breach, and build business case investments in data security and security operations to protect the organisation’s sensitive data.
A critical step will be to identify the organisation’s most likely scenario for data loss, and tailor the approach to the industry and organisation.
A retailer, for instance, would most likely face attackers going after its customer data. A law firm might deal with attackers compromising attorney-client communications or employees accidentally exposing sensitive client data via unsecured email or losing hard copy printouts.
Security leaders need to present several loss scenarios and articulate assumptions.
“Breaches are not created equal,” the report states.
“Presenting multiple scenarios to executives will help highlight what scenarios the business is currently capable of responding to and absorbing costs for, what scenarios will push limits, and which ones are potentially devastating.”
“Start with basic assumptions, such as those concerning direct costs, then become more sophisticated over time with input from the business,” says Forrester.
The Forrester report notes there may be voluntary or involuntary departures of executives following a breach. It can also take longer and require more money to hire a chief information security officer and other related roles because of the candidates’ negative views of the organisation.
Forrester summarises how to prepare for this eventuality:
As well, organisations should also consider that lawsuits can come not only from customers or employers. Business partners may also sue for breach of contract following a data breach.
Consumer expectations, meanwhile, can also add to the costs.
When providing discounts, coupons and gift cards to the affected customers, “Be careful not to inflict further reputational damage with your offer,” advises Forester.
Some customers may feel insulted with a 10 per cent off coupon.
“Monetary compensation is no guarantee of damage repair, either; Barclays customers were still furious after a £250 offer,” the report states, referring to the response of customers when the bank suffered from a data breach involving thousands of customer files.
Send news tips and comments to firstname.lastname@example.org
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.