Breach investigation

After the attacker has been successfully ejected from the organization’s information systems, an organization should perform a thorough investigation to determine as much as it can about the particulars of the breach. Performing this investigation will cost the organization as it takes personnel away from their day-to-day work tasks. It may also be necessary to bring in outside expertise so that the full extent of the compromise can be ascertained, which will again cost money and time.

The benefit of these costs will be that the organization has a clear picture of how the breach occurred, how long the intruder was present within the organization’s information systems, and the steps that can be taken to ensure that attackers will not be successful leveraging similar techniques in the future.

Systems rehabilitation

Once the attacker has been successfully ejected from the organization’s information systems, it’s then necessary to ensure that those systems are rehabilitated. Not only is it necessary to remediate the vulnerabilities that allowed the attacker to compromise the system, it is also necessary to ensure that any modifications that the attacker may have made to the system are located and removed. Rehabilitating a system isn’t just a matter of reverting to the last backup as it may be that the attacker compromised the system some time ago. Reverting to the last backup won’t remove the tools that the attacker placed on the system to retain persistence if those tools have been included in the system backups for some time. In many cases, the only way to ensure that a system is rehabilitated is to deploy it again from the beginning and then address the vulnerabilities that allowed the attacker to gain access.

Reputational damage

Sometimes the biggest cost of a successful breach is reputation. Reputational damage doesn’t just occur when sensitive internal documents are leaked to the media. For example, consider an e-commerce site that suffers a breach where customer payment information is compromised. Customers of the site may be wary of using the site again in the future, especially if they’ve had to cancel an existing credit card as a result of the breach. When customers lose faith in an organization’s ability to protect their information, they are less likely to interact with that organization.

Destruction of assets

Some attackers plant malware that is designed to destroy the systems of the target organization. Some malware works by reconfiguring hardware to work beyond its safe specification. For example, overclocking a processor until it overheats and fails. Other malware erases data on target systems or renders them inoperable. In some cases, the malware is deployed deliberately, destroying sensitive systems either to inflict financial damage or as a way of forcing the target organization’s information systems to become inoperative.

Compliance costs

Another change in the cybersecurity landscape in recent years has been how regulation has encroached on the industry. Depending on the type of breach that occurs and the type of industry the target organization is in there may be fines that must be paid to specific authorities as well as investigations and reports that must be generated, all of which cost money and other organizational resources. In some cases, an organization that suffers a breach may be subject to ongoing reporting requirements for a period of several years. In some jurisdictions, this can include paying for periodic external audits to ensure that the organization has correctly implemented the necessary security controls to minimize the chance of a similar breach occurring in the future.

Join the discussion

Can you think of another breach cost? Share your thoughts in the forum.

Use the discussion section below and let us know your thoughts. Once you’re happy with your contribution, click the Mark as complete button to check the step off, then you can move to the next step.