Surviving a security incident is just the beginning. Then you need to figure out what it really cost.
A veteran CIO of a New York City-based financial services company learned in July 2002 that several vital files had vanished from one of his company's 25 servers. An employee had tried to find some information and failed. That's when IS discovered that there was, in fact, no company information on that particular server at all. Panicked, the CIO and his staff went into emergency mode. They soon discovered that a hacker had found his way through their firewall and wiped out all the production files on the server, leaving chaos and a couple of strangely labelled files in his wake. Two frantic days - and 15 hours of work - later, the alien files were deleted and the missing data restored through backup tapes. But it took an additional two weeks to be sure that the hacker hadn't accessed and tainted any of the company's 24 other servers.
All told, the CIO (who spoke on condition that his name not be used) reported that the breach cost the company $US50,000. But when asked how he came up with that number, he said he honestly couldn't say. Because he really wasn't sure.
"We didn't do a line-by-line breakdown of the costs because it didn't seem necessary at the time," he admits. "But consultant costs, loss of production time and overtime for the IT staff were part of it."
Even if CIOs can quantify the cost of a breach, few executives will talk on record about it. Companies have an incentive to downplay - or downright hide - such information. "It's embarrassing to admit that a hacker got through your firewall," says Tina LaCroix, CISO of insurance provider Aon. "Most companies won't give out the real information [about breaches]. They don't want you to know they have vulnerabilities because they make the CSO look bad."
"No one wants to be the company on the front page of The New York Times," says Thomas Varney, a director of technology assurance and security, who spoke on the condition that his Fortune 100 company not be named. But ignoring vulnerabilities won't make them go away. Every day (or so it seems), another consultancy reports dire new statistics on the cost of security failures. According to the 2002 computer crime and security survey from the Computer Security Institute and the FBI, 80 per cent of the 503 security practitioners surveyed acknowledged financial losses due to security breaches, but only 44 per cent were willing (or able) to quantify losses.
While circling the wagons is understandable, it's also counterproductive for the industry as a whole. CIOs need to start sharing data because every breach is different, and costs will vary from incident to incident. That's also why it's important to have an incident-response plan in place prior to a breach. Creating a methodology for quantifying as many costs associated with a breach as possible is essential. Start by determining the value of your information and assets so that you can more easily find out what you lost. Break the incident down into every conceivable category because, inevitably, it has all been affected.
Hard costs - replacing servers or paying overtime - are easy to track. The real difficulty lies in quantifying nonattributable costs - the loss of customer trust or business. "Do more than simply calculate your physical losses," says Craig Goldberg, president of Internet Trading Technologies. "Look at what was lost in terms of customer, shareholder and employee information. What was the cost of lost business?" And don't forget the most serious damage - a blow to your company's reputation. "It's the grey areas that are usually the most significant in terms of cost but the hardest to prove," says Goldberg.
That's why cyberinsurance is a tough area, says Rich Mogull, research director at GartnerG2 Cross-Industry Research. Companies lack the solid actuarial formulas that enable them to figure out risks over time, so they underprotect - or overprotect - themselves.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.