It has been a busy month in cyberspace. TJX, the massive worldwide fashion retailer, is finally releasing some of the gory details of the recent hack which saw over 45 million credit and debit card details stolen from their databases. It seems that the entire fiasco has cost the company an estimated $17 million to date. Interestingly, in a statement, the company goes on to say that “Beyond these costs, TJX does not yet have enough information to reasonably estimate the losses it may incur arising from this intrusion, including exposure to payment card companies and banks, exposure in various legal proceedings that are pending or may arise, and related fees and expenses, and other potential liabilities and other costs and expenses”.
Estimating the cost of an intrusion has never been easy. It is something that IT managers grapple with regularly, particularly when fighting for budgets. This article will attempt to explore some of the considerations when contemplating the cost of a systems breach, or indeed the cost of a possible “future’ breach.
At a basic level, the most obvious cost component associated with a security incident of any kind is the cost of human labour that will be inevitably required to investigate the breach (if indeed there was one). Add to this the fact that these “investigators’, assuming they are employees, will be taken away from their normal work activities, resulting in lost productivity. Time will be spent analysing what has happened, re-installing operating systems, restoring installed programs and data files, reviewing log files, writing incident reports, interfacing with vendors or suppliers etc. And don’t forget that all this will be relatively disruptive, possibly resulting in users being prevented from accessing the systems they need to do their jobs. More lost productivity and ultimately wasted time.
Thankfully, most organisations have a very accurate indication of how much each and every employee’s time costs, so putting a monetary figure on this component is straightforward enough.
One of the major challenges of the security community is to develop an effective return on investment calculation that will allow them to justify security expenditures before catastrophic incidents occur. Ask the following questions:
- Who worked on responding to or investigating the incident?
- How many hours did each of them spend?
- How many people were prevented from working because of the incident?
- How much productive time did each of them lose?
- How much do you pay each of those people to work for you?
- How much overhead do you pay (insurance, sick leave, etc.) for your employees?
Provide the answers to these questions and, believe it or not, you will ultimately arrive at an actual monetary value. Knock the number down by around 20% and you will probably have a true and fair reflection.
Take the time to work out the cost of an imaginary security breach for your organisation. Suddenly, you will find yourself armed with some compelling and, most importantly, factually based, data to impress your management and fight your corner. Better still, turn the data into a fancy pie chart. That will as good as guarantee results! It seems fair to say that with a little preparation, some policies and procedures in place, and a little discipline during incident handling, a reasonably accurate picture of the damage estimates are easily achievable.
It is much more difficult to put an accurate and realistic figure on many of the other “softer’ knock-on effects of a security breach. Something else that must be added in (for companies who use computers as part of their business) is lost revenue. This can vary wildly, depending on the nature of an organisations business. Online retailers, or others whose central business model relies on online sales, will find it easy to calculate loses. Others may not be so concerned.
Loss of reputation is probably the most contentious issue, and the one that the majority of security technology vendors tout as the “justification’ for purchasing their products. And don’t forget insurance deductibles. Our friends in TKX have sweaty palms at the very thought. And if you ask me, rightly so.
Predictably, I will end by saying that it pays to invest upfront in IT security, be it technology, training, policy initiatives or prevention mechanisms. In fact, we might even be able to prove it.