Breach Aftermath Planning: Focus on Saving Your BusinessIt's More Than Loss of PII, Customer Notification; It's About Keeping Your Business Operational
In planning for the aftermath of a data breach, many organizations focus on the obvious: the theft of personally identifiable information, including Social Security numbers; payment data and health information. In determining the cost of breaches, enterprises often concentrate on customer notification, credit monitoring and the possibility of legal judgments or regulatory penalties.
But a new study by the business advisory firm Deloitte & Touche - Beneath the Surface of a Cyberattack: A Deeper Look at Business Impact - contends these factors represent about 3.5 percent of the total breach costs.
"The costs that are commonly associated with cyberattacks and data breaches really end up being a small fraction of the overall impact," Emily Mossburg, principal in Deloitte's advisory cyber risk service, says in an interview with Information Security Media Group (click on player beneath image to listen). "Typically, based upon the model we put together, over 90 percent of the cost and the impact tend to be those things that are less tangible and often less discussed. What we really think this means is that it's not necessarily, 'OK, open eyes, this is costing more than you think.' It's more about you truly identifying the risk that are the most important to your organization."
In the interview, Mossburg discusses two scenarios Deloitte created that outline the multimillion dollar impact breaches have on two fictitious companies:
- A health insurer with 50,000 employees and annual revenue of $60 billion that fell victim to a stolen laptop computer containing nearly 3 million patient records.
- A technology manufacturer with 60,000 workers and $40 billion in annual revenue that experienced a cyberattack from a nation-state.
Mossburg contends these scenarios should help instruct organizations to understand the deep impact data breaches have on organizations.
Deloitte, in its report, itemizes 14 cyberattack impact factors, half of them with commonly known costs, the other half having hidden or less visible, but significantly higher costs.
Mossburg leads the resilient portion of Deloitte & Touche's cyber risk services portfolio, including the technical and organizational aspects of technology resilience, cyber incident response and post-incident crisis management for rapid recovery of operations, valuation and reputation. She has served a range of clients in the areas of technology risk management, data protection, data breach management and technology resilience, most recently focused on financial services and federal sectors.