The real cost of a security breach

by David Hobson, Managing Director of Global Secure Systems (GSS)

In its 2006 annual report for the fiscal year ended 27 January 2007, T.J. Maxx recorded a pre-tax charge of approximately $5 million for costs incurred in connection with the computer intrusion it formally disclosed in January 2007. This charge covers actual costs incurred to investigate and contain the breach, strengthen its computer security and systems, and communicate with customers, as well as technical, legal, and other fees. $5 million may suggest that it got off lightly but is this just the tip of the iceberg? What are the hidden costs of a security breach? What will be the final figure? This article aims to examine the hidden expense of a data breach, both the tangible and intangible costs. It concludes with a ‘top ten tips’ to prevent being the next headline grabber.

IT security in the early 1990's was relatively simple. Data was stored on mainframes, access control was limited and the need to share data was very limited. Today the rules have changed. More data is needed to be shared, access to data is required from almost anywhere and the need to secure that data has grown through regulation and legislation. The user population is much more technical now, and the Internet boom has enabled an increasing number of people to be able to cause more trouble than ever. Most organisations acknowledge that the impact of a security breach to the business will result in financial expense.

It’s going to cost how much!
Firstly, there are the direct and easily correlated costs such as replacing any lost or stolen devices; investing in, or strengthening existing, IT security; and if necessary strengthening the building’s physical security.

In August 2007, Monster had to take action when it discovered that con artists had mined contact information from curriculum vitaes for 1.3 million people, and possibly many more as Monster has since confirmed that this was not an isolated incident. Files were stolen not only from Monster.com but from USAJobs.gov, the federal-government career-listing service operated by Monster. Monster has said it will have to spend at least $80 million on upgrades to its site, which will include security changes. Among them is closer monitoring of the site and limits on the way its data can be accessed.

It doesn’t stop there
Some costs are harder to pin down including contacting those whose records may have been exposed, credit monitoring for those affected, and even the possibility of subsequent legal action taken by people who have suffered a financial loss as a direct result of their records being exploited.

The HMRC, who in December had two CD’s containing 25 million child benefit records go astray in its internal post system, wrote to each person whose personal details were at risk. When tallying this up there is the physical cost of the paper and envelopes, printing the letter and addressing the envelopes, postage, and the harder to guesstimate employee’s time to draft the letter and to physically perform the mail out, to account for.

Customer lawsuits can cause serious headaches for businesses that go far beyond the reputation-slaying negative headlines. Aside from the actual monetary damages, lawsuits often leave companies on the hook for additional training, systems upgrades or -- in the case of a data breach -- credit monitoring for those affected.

In the case of TJ Maxx’s massive security breach, it revealed that all affected customers were offered credit monitoring at its expense. Additionally it disclosed that it has agreed to pay up to $24 million in a settlement with MasterCard and it might not stop there. It also confirmed that it’s had to budget for various litigation and claims that have been, or may be, asserted against it or its acquiring banks on behalf of customers, banks, and/or card companies seeking damages allegedly arising out of the Computer Intrusion.

In another instance the Information Commissioner’s Office (ICO) found Marks & Spencer in breach of the data protection act in January this year following the theft in April last year of an unencrypted laptop containing the personal information of 26,000 M&S employees. As a result, the ICO ordered Marks & Spencer to ensure all hard drives on laptops that it uses were encrypted fully by April 2008 facing further prosecution if it failed to comply although M&S have appealed against this decision and a final outcome is yet to be decided. Other tangible costs Marks & Spencer faced were writing to all 26,000 employees affected and the cost of its offer to them for free credit checks. But what is the hidden cost, how many employees loyalty will have been damaged by this incident? We all recognise the cost of recruitment and training.

In 2007, the UK's largest building society Nationwide, received a fine of nearly £1m from the Financial Services Authority after the theft of an employee's laptop unearthed security flaws which could have put its 11 million customers at risk. In the first action taken by the City regulator over such systems and controls issues, Nationwide had faced a £1.4m penalty but was given a reduced fine of £980,000 because of its cooperation.

It runs deeper still
So what other concealed costs are there?

There is bound to be an impact on share price, even if only temporarily, as stakeholders react to the news.

There is the lost marketing investment when a brand is damaged, which is a key impact that UK Boardrooms should be concerned about. This is closely followed by the recovery costs in the form of future/increased marketing budgets to regain market position, rebuild reputation, etc. Imagine the continuing damage if the company’s communications can no longer be trusted. IKEA fell victim earlier this year when a hole in its website security allowed hackers and phishers access to its ‘contact IKEA’ function enabling them to send bulk outbound mail via its email servers. The potential damage to the company's reputation and possibility of email blacklisting could be significant.

There is the cost of customer erosion, especially where the breach has compromised credit card details as in the case of Cotton Traders. Apacs has called the recent hacking attack on its website a “serious” breach, saying the hackers could use the stolen card details for fraud. The clothing company has so far refused to say how many people have been affected, and has tried to alleviate continuing fears by confirming that its customer credit card data is now encrypted on its website, but could this prove too little too late?

There could even be the risk of employee’s jumping ship as internal morale dives when they feel their loyalty is compromised if the company they work for makes headline news for the wrong reasons. Filling vacancies is a costly exercise.

There is even the reality that those unaffected and uninvolved will still end up footing the bill. Again the HMRC data loss can provide a perfect example of this. The Chancellor of the Exchequer at the time of the breach, Alistair Darling, confirmed that banks were having to monitor all 7.25 million bank accounts whose details were on the discs. Although the cost for this monitoring has not been revealed the banks will make sure that they recoup the expense from someone! So either the tax payer, or everyone with a bank account, is going to cover this charge.

This article proves that data loss is not an insignificant issue. Information assurance is business critical and for many organisations, the data they own is their key asset, so why are so many failing to treat it as such? Failing to do so opens the corporate purse with no guarantee that it will ever be closed again. TJ Maxx itself summed it up when it said in its statement : “Beyond this charge [$5 million], we do not have enough information to reasonably estimate losses we may incur arising from the Computer Intrusion.”

Top Ten Tips to Preventing a Breach:

  1. Management set the tone for their organisations by their own behaviour. As such, good information practices are obligatory for all stakeholders, not just employees.
  2. Be proactive – management should deal with information assurance issues proactively, rather than reactively as information assurance is far more cost effective in a preventative rather than a remedial context.
  3. Information assurance is a business issue, not something extra for IT to handle. IT simply does not have the resources and/or authority to drive information assurance best practices through their organisations.
  4. Understand that information assurance is an ongoing process, not an annual event just before the auditors arrive.
  5. Information assurance is everyone’s job and as such investments in training and awareness programs for all employees are critical.
  6. Management should set out the company’s expectations with respect to information assurance in clear, accessible policies.
  7. The process for dealing with information security incidents should be defined in straightforward and unambiguous procedures.
  8. Investments need to be made in technology that will result in the secure transport and processing of information by the company’s information technology assets.
  9. Suitable best practices should be identified and implemented rather than ad hoc approaches implemented.
  10. Expert advice should be sought and used at all times to advise and oversee efforts in respect of information assurance from an experienced and objective third-party perspective.
www.gss.co.uk

Source: Eskenzi PR Ltd.