Don’t Focus on Whodunit After a Data Breach: Attending to tangential issues can prove costly

Thursday, August 31, 2017 - 18:30

Cybersecurity attacks, data breaches and hacks can be devastating and demoralizing to a company, leaving it with a difficult question: What now? Too often, companies focus on the whodunit of a cyberattack. They want to attribute the data breach or cybersecurity incident to a specific actor, a villain. Yet focusing an internal investigation on identifying the source of a breach or attack is an inefficient use of the company’s resources and a waste of time.

Consider the following scenario. You are coming home from a vacation with your family. When you reach the front door, you notice that the door is unlocked and the door jamb is completely busted. You push open the door further, only to find the house in complete disarray. You quickly put the pieces together and determine that while your family was enjoying its vacation, someone broke in and burglarized your home. You ask your spouse to call the police and direct your children to stay outside the house, but what do you do next?

Would you assume your best impression of Sherlock Holmes, grab a magnifying glass and immediately start investigating to determine who the burglar was? Or would you instead take stock of your house, determine what valuables were missing and figure out how the burglar got into the house and why the alarm system was not triggered?

The average person would not devote time and energy to finding the suspect. They would leave that to the people who are trained in that field – law enforcement. Most people would focus instead on recovering from the burglary. They would restore the house, determine what was destroyed or stolen and file insurance claims for the damaged and missing property. They would then focus on how the burglar got into the house. Was the alarm set? Were all the doors and windows locked? Was a family friend supposed to stop by every couple of days to check on the house? Then, after understanding how the burglary occurred, they would hopefully take steps and precautions to make sure that a similar burglary could not happen again.

We don’t focus on investigating the burglary because we, as private citizens, need to get back to our everyday lives as quickly as possible. We do not focus our energy on discovering the identity of the burglar because we know that we have police officers and detectives who are trained experts to figure that out.

So why should we treat cybersecurity attacks and data breaches any differently?

In June, the Ponemon Institute released its annual Cost of Data Breach Study. The report underscores that a company’s failure to quickly and efficiently recover from a cybersecurity incident increases the damage and costs associated with the incident. According to the report, within the United States, the average cost for each lost or stolen record containing sensitive and confidential information is $225. The average total cost for organizations that participated in the study was $7.35 million.

Ponemon also reported that the time it takes for a company to identify and contain data breaches impacts the total cost. If it took less than 30 days for a company to contain a data breach, the cost was $5.87 million. If it took 30 days or longer, the cost increased to $8.83 million. Additionally, data breaches caused by malicious or criminal attacks (as opposed to those caused by accident or negligence) took the longest for a company to detect and contain, at an average of 303 days.

The report also highlights the hidden costs of a data breach: the internal resources that companies use to deal with them along with other indirect damages to the company. These include the time employees spend on investigations and notification efforts, loss of brand value and reputation, and customer churn. In 2017, of the $225 average cost for each lost or stolen record, $79 was attributed to indirect costs.

The Ponemon report also demonstrates that focusing on attribution after suffering a data breach is a waste of time, money and a company’s resources. Law enforcement agencies have the training, resources and experience that companies simply don’t have. Additionally, identifying the actor responsible for the incident does not help the company recover. Companies should focus on containment of the incident, restoring any impacted operations as quickly as possible and preventing a similar incident from occurring in the future. Rather than answering the whodunit, companies should get answers to the following questions:

  • What controls were in place prior to the incident?
  • What controls failed?
  • How did the controls fail?
  • What systems and information were accessed or acquired?
  • Was the security, confidentiality or integrity of any information impacted?
  • How can we restore our systems and any information that was compromised?
  • What controls should be updated, replaced or changed to prevent this incident, or a similar incident, from occurring again?
  • Do we need to notify consumers and any government agencies?
  • Is there a third-party vendor that is liable for the breach? If so, should we file a legal claim against them?
  • Do we have cyberinsurance? If so, is there a dispute over the coverage?

In resolving cyberinsurance coverage disputes, companies should consider arbitration or mediation, as they can be beneficial for both the insurer and the insured. Arbitration and mediation allow the company to keep the dispute confidential and, with the right arbitrator or mediator, can save the parties significant time and money. The key is using an arbitrator or mediator who understands the technology, the law and insurance. The arbitrator or mediator can then cut to the heart of the technical and legal issues at play to resolve the dispute efficiently and help the company stay on the path to remediation.

By directing its energy toward identifying and recovering from a cybersecurity incident, companies can mitigate the amount of time, money and resources needed for that recovery.