No business like breach business
A new class of companies are angling to be at the top of a list of breach responses that grows longer by the day.
A new class of companies are angling to be at the top of a list of breach responses that grows longer by the day. And little wonder: According to a study by the Michigan-based Ponemon Institute, sponsored by IBM, the average cost of a data breach is $3.8 million – a 23 percent increase over the previous two years. The cost of each piece of confidential information exposed rose from $145 to $154 over the same period. Then there's the harder-to-quantify cost of damage to a company's brand or the reputation of its leadership – as the C-suite survivors of the Target and Sony breaches can attest.
The rising costs following a data breach reflects the multi-faceted spending required to recover from such events. At one end of the spectrum, high-powered, forensic-focused outfits that work the case and finger the culprits, be they domestic hacktivists or international cyber-gangsters to operatives for a nation-state. Then there's a growing array of far smaller companies promising to swoop in to save previously unsuspecting mid-sized companies – for example, a hospital hit by ransomware or a local retail outlet with compromised POS devices. Those trying to limit their budgets will encounter what analysts call the ambulance-chaser segment of the post-breach repair market, with results that may be spotty at best.
Lillian Ablon, information systems analyst, RAND
Robert Liscouski, CEO, Convergent Risk Group
Andrew Plato, CEO, Anitian
Melissa Ventrone, partner, Thompson Coburn
But spending top dollar on post-breach specialists isn't necessarily the most effective way to counter a breach, says Andrew Plato, CEO of Anitian, a Portland, Ore.-based security consultant.
“There is focusing on the attribution and mechanism of the attack rather than the systemic set of issues that have happened there,” Plato says. “You see this a lot with the big public players in this space. They attribute the breach to some Chinese group and get on the news. That is good for them, but does it give their clients a lot of benefit?”
If breach-hit companies want to avoid a one-stop shop with services they may not need, they can go a la carte, assembling their own team: investigators to figure out what went wrong, remediation specialists to pick up the pieces, attorneys to work with law enforcement to help brace with the inevitable lawsuits, and public relations specialists to sooth customers and deflect the media.
That's where law firms specializing in cybersecurity see an opportunity. By acting as post-breach coordinators, attorneys can help their clients navigate the 47 data breach notification laws upheld by individual states and territories in the U.S. and keep even more internal data from spilling into the open through the legal discovery process. Melissa Ventrone, a partner in the Chicago law firm Thompson Coburn, says she thinks of it as shielding the company through the umbrella of attorney-client privilege.
Behind closed doors, Ventrone and her counterparts at other firms inform clients that the services offered by some breach-response specialists should have already been in place. “Endpoint monitoring, anti-virus and anti-malware, central logging points – all of these things should have been taking place prior to an event,” she says. Buying such services a second time may be irrelevant and a waste of money, Ventrone adds.
When the data breach D-day finally comes, businesses can avail themselves of any of several survival guides by the major IT players, cybersecurity technology companies, large consulting companies, the credit bureaus, industry associations and more. Nearly all focus on key steps: isolate and stop the breach, contact law enforcement, line up legal help to conform with breach notification statutes, conduct a forensic investigation, deploy a public relations team and roll out long-term remediation.
That's solid advice, says Ventrone, but they scare her a little bit, she says, because there are so many nuances to these types of events. “They are not formulaic in nature.”
The message from the breach-response industry is, in short, pay us for full-service breach response before the worst happens – or pay a lot more later. From forensics squads to legal teams to PR specialists, industry players contend that the costs of being underprepared is simply too great in terms of battered brands and alienated customers.