A new report from SANS Institute examines the costs that organizations deal with after they clean up from a breach.
Data breaches often result in myriad costs for victimized organizations and individuals. A new study from SANS Institute, sponsored by Identity Finder, found that even after organizations remediate the immediate cause of a breach, there will still be ongoing cost consequences.
Barbara Filkins, senior analyst at SANS Institute, wanted to take a different tact to the analysis of data breach costs than other reports, notably the Ponemon Cost of a Data Breach and Verizon Data Breach Investigations Report (DBIR). (The 2015 Ponemon Cost of a Data Breach report, sponsored by IBM, found that the average cost of a data breach is $3.8 million.) In Filkins’ view, the other reports focus on the front-end costs of data breaches as opposed to what can be done to mitigate the damage after an attack.
At the top end, the SANS report found that 31 percent of the surveyed organizations incurred post-breach costs of between $1,000 and $100,000 as a result of a data breach, and 23 percent experienced costs of $100,000 to $500,000.
Looking at the root causes of the data breaches, 35 percent of respondents noted that a hacking or malware attack was the primary vector. The study also asked about how long it took organizations to fully remediate a breach, with 38 percent of respondents reporting it took three months or longer.
Going a step further, even after the breach remediation was considered to be complete, most respondents experienced residual issues, including potential litigation, fines and brand reputation concerns. Only 35 percent reported that they had no lingering effects after a breach was considered to be remediated.
As to why some organizations have no lingering effects, Filkins said it all has to do with the nature of the breach and the difficulty of understanding costs. There are some obvious items that are considered to be post-breach costs, including identity monitoring services, but when it comes to the lingering costs, it’s not as easy to quantify the impact on brand reputation and stock prices, for example, she added.
According to Todd Feinman, CEO of Identity Finder, the path to helping minimize the costs of a data breach involves classifying data so that organizations understand where the risks are. The reality is that breaches are now a fact of life and it’s difficult to prevent all breaches from happening, he said. Taking that as a baseline, Feinman suggests that just because there is a security incident, it doesn’t necessarily have to turn into a large-scale data breach.
“If organizations want to minimize the costs of an attack or a data breach, you have to know where the sensitive data is and keep it as small a footprint as possible and make sure that it doesn’t leave the organization,” he said.
Identity Finder develops its own tool for data loss prevention called Sensitive Data Manager, which was updated this week to version 9.0. The new release includes improved data classification capabilities.
“There is no single technology, including ours, that is a silver bullet to prevent data breaches and related costs,” Feinman said. “It’s all about people, process and technology.”