Legal Eagles
The industry's lack of a consistent model for calculating security losses often results in inaccurate loss estimates, "numbers that never would hold up in a court of law", says Varney, who spent years doing computer forensics with the US Department of Defence and the Secret Service. "A company calls up and says: 'We've just been hacked. We've lost $1 million.' They pull a number out of the air," he says. "I ask how they got that number, and it turns out they're just guessing."Varney says many CIOs don't realise loss estimates are not enough to prosecute security offenders. "If the amount varies from what the prosecution presents, the defence will poke holes all over your case," he says.
Trying to nail a hacker is just the beginning. The concept of downstream liability is also a concern, says Aon's LaCroix. These days, viruses jump from company to company. If a company is deemed negligent in deploying adequate security, there's a potential for third-party lawsuits from others affected afterward. "You are no longer responsible for just your own security," LaCroix says.
Ask Ziff Davis Media. Deficient security and privacy protections cost the publishing company at least $US125,000 in August 2002 when an online subscription promotion exposed subscriber information, including credit card data, to public view. Several subscribers subsequently became the victims of identity theft. In a settlement with the New York state attorney general, Ziff Davis agreed to pay a total of $US100,000 to three state governments, as well as $US25,000 in compensation to 50 customers whose credit card data was bared during the incident. If all 12,000 subscribers whose information was revealed had provided credit card data to the company, the settlement could have reached $US18 million, according to John Pescatore, an analyst with Gartner Research.
Until someone comes up with a way to prevent breaches from happening at all - and risk will never be reduced to zero - CIOs will have to deal with the aftermath of incidents and trying to come up with a cost for the whole shebang.
"We learned one lesson really well," says the anonymous CIO of the New York financial services firm. "Understanding what you're spending on security cannot be overrated."
Criteria for Determining the Cost of a Breach
1. System downtime. What systems were out of commission and for how long?
2. People downtime. Who was unable to work, and how long were they unproductive?
3. Hardware and software. How much did it cost to replace servers, hard drives, software programs and so on?
4. Consulting fees. If you needed extra firepower while fighting an attack or for a postmortem analysis, how much did you spend on fees and other expenses?
5. Money. How much were the salaries for people affected by the breach? Consider overtime pay or trades that couldn't be made during downtime.
6. Cost of information. What was the value of information - employee, shareholder, customer - that was stolen or corrupted? How much did retrieving the information cost?
7. Cost of lost business. Did clients take their business elsewhere? Were there opportunity costs - lost contracts or business deals - due to systems being compromised?
8. Incidentals. How much did you spend on food, lodging and transportation for the people working to fight the breach? Were there additional facilities costs, such as power usage and electricity?
9. Legal costs. What were potential and actual costs of litigating and investigating the incident?
10. Cost to your company's reputation. Did you spend money on a PR campaign to control the damage?
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.