The Hidden Costs of a Data Breach That Could Last Years
Software bugs and vulnerabilities often lead the way to massive security breaches via exploitation. These breaches spawn heavy costs to the organization in well-known monetary fees and penalties, but there are several unforeseen costs that affect the organization internally and publicly.
While the cost of containment and eradication of the breach is obviously a necessity, unforeseen and implicit revenue loss is also a side effect of a data compromise. Effects from a data breach span every organizational department and can also affect partnerships with external vendors and contractors. The loss of customer trust can also span for years, which makes the cost of a data breach more than an immediate monetary expense. It has long lasting residual effects on employees, vendors, contractors, customers, and public relations.
What is a Data Breach?
While the definition of a data breach might seem evident, it often gets confused with a security breach. A security breach can lead to a data breach, but not always. For example, a server can be compromised where an attacker is able to crash an application causing a denial-of-service, but without access to data, an attacker can only create monetary loss due to application failure and downtime.
Some state-sponsored attacks are aimed at causing a denial-of-service (DoS) condition that leads to downtime for competitors or government agencies, but security breaches don’t carry the heavy rewards of a data breach for attackers looking to make money on darknet markets. An attacker with access to private data can sell it on darknet markets, use it for identity theft to open credit and financial accounts, or use it in phishing attacks. Private corporate data is far more valuable, especially if it’s confidential information or intellectual property.
A security breach could be more than a DoS and also lead to a data compromise. For example, if an attacker can install malware on critical infrastructure, the malicious software could be used to further other attacks that give access to data. Password breaches could be brute forced giving attackers the cleartext version of user credentials. Successful phishing campaigns could also lead to a network compromise including ransomware that holds data hostage in return for a cryptocurrency payment. In many of these cases, the breach starts with unpatched server software.
Public Costs of a Data Breach
One of the biggest unforeseen aftermaths in a data breach is the damage to organization reputation in the public eye. Equifax fell victim to a large data breach where attackers were able to exfiltrate millions of personal records. Years later, people still associate Equifax as an organization that disclosed most of their financial data and social security numbers to attackers, forcing them to freeze their accounts and watch their financial information closely. Much of the public lost faith in Equifax and no longer trusts them with their data. This side effect of a data breach can be devastating for organizations that need trust to collect user information for accounts and product sales.
After the Equifax data breach, Ponemon performed a study on the impact of public reputation to an organization when they disclose customer information to cyber-criminals. They found that it took organizations at least 10 months to recover from the negative reputation in the public eye. The study also found that 50% of surveyed organizations suffered from a loss of productivity and 41% indicated that they lost customer loyalty.
Businesses that store private information must preserve trust in every way possible or it could mean a mass exodus of loyal customers. In addition to avoiding a data breach, the way the organization handles it also impacts customer trusts. The sooner customers are made aware of the breach, the better it looks on the corporate reputation. Organizations that hide it for months lose valuable trust and could experience a loss of customer loyalty if the breach is hidden for too long. Reporting a breach within a reasonable amount of time is also a compliance responsibility for many of the standard regulatory bodies.
In many data breach scenarios, exfiltration and data corruption are reliant on malware. Exploitation of software usually happens from unpatched and outdated versions whether it’s the operating system, third-party tools, or custom software that has unknown vulnerabilities. When customers find out the details of a data breach, any poorly managed software patching could harm trust. If standard patch management isn’t implemented, customers will likely not trust that it will be done in the future. This factor often affects large technical corporations, financial institutes, and any other organization that stores large amounts of user data.
Within a day of a data breach announcement, an average 7.5% of stock valuation drop was observed by publicly traded companies. Researchers also observed a $5.4 billion market cap loss per company and a 46-day recovery time for stock prices to return to normal. The drop in stock and negative PR also affects vendor relationships and partnerships. If the organization can’t be trusted with data, many critical partnerships could be destroyed.
Many of the public costs affecting organizations after a data breach also affect private revenue and valuation. As stock prices fall, the business itself is affected, but there are several private costs associated with a data breach. Ponemon’s Cost of a Data Breach Report 2020 estimates that the average global cost is $3.86 million. After the breach occurs, the next step is to put a good incident response plan into action, and many organizations fail to have a good plan to contain and eradicate the threat.
Organizations without a dedicated incident response team must outsource the service to help them with a compromise. This leads to extended time for an attacker to exfiltrate more data. For an immediate response, many organizations must shut down critical services to stop data extraction from the compromised system. The immediate shut down of critical services results in a lack of productivity for internal employees and revenue from customer-facing portals. It can also lead to corruption of data and long-term customer service inquiries from customers unable to place orders.
Incident response teams cost hundreds of dollars per hour plus any travel expenses. Organizations could spend thousands of dollars for a team to eradicate and investigate an incident if they don’t have a dedicated team to handle the situation. Most IT staff are not qualified to completely eliminate a threat from infrastructure, especially if the incident involves advanced persistent threats (APTs).
After the threat is eradicated, most organizations must upgrade infrastructure either hardware, software or both. “Lessons learned” is the standard last step in incident response and disaster recovery, and it comes with the realization that a component in the organization’s cybersecurity strategy is not sufficient to stop threats. Better strategies could be educating users to stop phishing attacks, better anti-malware software, remediation of misconfigurations, or better patch management of outdated software that led to the exploit.
The ripple effect affects every aspect of the business. Incident response will help handle archiving files and audit trails to turn over to the authorities for investigation, but in the meantime any systems shut down to protect from further damage will stop employees from being productive and potentially customer sales.
As an example of how one hacked system can affect the entire organization, consider what happens when a database server is infected with malware or an attacker successfully launches a persistent cross-site scripting (XSS) attack. In persistent XSS, data is corrupted and could be used to obtain access to internal systems. With malware, the database could be sending data to an attacker-controlled server, giving an attacker remote access to the system, or potentially encrypting files using ransomware. Even recovering from a backup takes time and causes downtime while the system recovers. In large enterprises organizations, downtime for even a day can cost the business thousands of dollars in lost sales revenue and employee productivity. The initial revenue loss can then be seen for months later.
Most researchers discuss the effects of a data breach on company revenue, stock prices, customer loss, and incident response prices, but what they don’t discuss is the effects on interpersonal relationships between employees and IT staff. Because a data breach is a publicly announced event, employees are made aware of the issue and must be included in changes to organization processes and training.
If the basis of the attack was a phishing campaign, targeted employees who fell victim to the attack must be trained to identify malicious messages and report them. It’s not uncommon for employees to put faith in IT to protect from malware and malicious software, so even in the case of a phishing campaign that led to a successful data breach, employees could lose trust in the business, specifically IT. A loss of trust can be worse if failure to protect infrastructure was from misconfigurations, inefficient anti-malware infrastructure, or an IT misstep.
IT and security professionals know that no cybersecurity strategy reduces risk 100%, but internal employees aren’t aware of the way cyber-threats work. Any data breach will result in a change of procedures usually adding overhead to a user’s process. These procedures could be a change in security systems affecting the way employees authenticate into the system, a change in manual processes, or additional mandated training. Any significant overhead in an employee’s day-to-day productivity will be met with some resistance, including management. The loss in trust could lead to difficulties getting approval for a change in the way current processes are carried out.
Implementing new cybersecurity systems and procedures is already difficult as most employees don’t want to perform any extra steps to ensure security, but a data breach can leave employees without trust of new and existing systems, which can ultimately lead to skipped procedures and added risk. Cybersecurity training and education helps reduce risk, but it takes time to collaborate and schedule sessions. Employees including executives must take time out of their day to attend training.
While businesses are aware that their data is valuable, the ways in which they manage cyber-risk directly affects the likelihood of a compromise. Data breaches result in years of recovery time both monetarily and in gaining user trust. Most organizations focus on the immediate monetary damage, but long-term damage will affect revenue and other costs for years.
Mitigation of vulnerabilities before they are exploited is the best way to reduce risk of a breach. This implies good practices when dealing with patching and maintenance. With live patching, your organization adds a level of convenience and quicker rebootless patching on vulnerable outdated servers. Instead of waiting weeks to patch vulnerable servers leaving them open to the latest exploits, live patching updates server software and the operating system when vendors deploy updates. KernelCare offers live patching for main Linux distributions and can reduce the window of opportunity on unpatched servers. Simply deploy KernelCare with your orchestration tool of choice and leverage the benefits of live patching to reduce risk and safeguard your servers from the latest cyber-threats and exploits.