The recent Equifax data breach highlights the need for businesses to undertake security and risk management plans. As consumers struggle to learn whether their information held by the credit reporting agency has been among the estimated 143 million users’ information potentially compromised, Forrester Senior Analyst Heidi Shey outlines some considerations for companies undertaking a security risk assessment. Shey wrote Forrester’s Aug. 31 report, “Calculate The Business Impact And Cost Of A Breach.”
Security Boulevard: Who should do an assessment? Is there any industry that should be more concerned?
Shey: Anyone who has data of value that someone might want to steal, or data of value that could have a negative impact on the business if it could be accidentally lost. It’s an equal opportunity field. If you have data, you have something of value.
Security Boulevard: Where would you put a security risk assessment on a company’s to-do list?
Shey: That’s a tough one. There’s so many competing priorities these days for security teams. And there’s different ways for them to help prioritize for themselves based on their current state and the resources that they have. That’s where we would recommend things like a security and risk assessment for the organization, or an assessment of security maturity. That’s one way to help identify where your biggest gaps are so you can then prioritize what you need to do.
Security Boulevard: Do companies recognize the value of a breach response plan?
Shey: Yes. It gives them a playbook of what happens and what they need to do next when these types of events occur so they’re not panicking and trying to make it up as they go. A coordinated response makes a huge difference. When companies think about their breach response plans and what should go into them, oftentimes they’re really so focused on the technical response part of it—the IT side of things—the one other part that maybe gets overlooked is more the customer-facing, public-facing piece of it. How are they communicating things to the public, their customers, to their own employees, even, about what’s going on, what people should know, what’s their plan for doing customer notifications, if that is required in their case, because that is something you don’t want to have to scramble to figure out at that point in time.
Usually companies would hire a service provider to help them here, but being able to know that up front, ahead of time as you’re creating these plans, is extremely helpful.
Security Boulevard: Is paying a retainer fee becoming more common?
Shey: That’s another important point here, too. With these breach response plans, companies need to take it all the way. You can’t just make the plan and have it sit on a shelf. You actually have to go and test these things, run through the plan, do simulations, do a whole exercise as if you were responding to a real breach. It’s like doing fire drills—people who are involved in the response get some practice.
Security Boulevard: Is there an average cost of a breach?
Shey: No. And that’s where companies run into trouble when they try to find that kind of a figure or derive that kind of figure for themselves. If we look at the kind of cost breaches that are publicly reported, maybe things you find from a company’s Form 10-K filing, for example, or other types of studies that are out there, this is typically what I would call a subset of costs. These could be direct costs that are measurable—the amount that you have paid for incident response services or the amount of a fine you have to pay to a regulatory body, for example. But then it doesn’t cover what are other more indirect costs, or even costs that could have a very long tail. Costs like lost employee productivity. And lawsuits and settlements—usually these are things that take years down the line as well. And then the other, squishier costs, like brand recovery, for example. What’s your reputation like with consumers, or what’s your reputation like with prospective future employees? If you’re trying to hire, does this make it more difficult? A lot of it comes down to just what kind of events happen in the first place—what kind of a breach was this and how did the public perceive your response?
Security Boulevard: What’s the key takeaway?
Shey: I would say have people not get too hung up on trying to get to an actual [cost] number. Understand there are the different factors and the different types of costs, for one, and then understand the different factors that could either influence the cost one way or the other, to increase or maybe to decrease, and then take that into consideration when it comes to making the case for why you need to prepare and do your planning. This way you’ll at least have a rough idea, even if it’s a rough range, of what potential costs would be like. It’s incentive now to say we should do a better job proactively on the front end to do everything we can. One, if we could prevent something like this from happening, some of these things would not be costs that we would face, but then also knowing that well, two, it’s almost inevitable that this could happen to us, so now at least we have a rough idea of what we need to consider.