How Breaches Affect Companies
Cybersecurity professionals have a fundamental problem: you’re protecting a company that doesn’t understand or appreciate what you do. Upper management is loathe to give security any more resources than what they deem “enough” and your work is seen as a necessary evil. No one considers the effort necessary to minimize risk when no breaches have happened — and when a breach does occur (one you probably warned about), the blame falls onto you.
Preventing a cybersecurity breach is no longer solely the IT and security division’s responsibility. As the impacts of breaches now affect the entire company, maintaining the company’s overall security hygiene is and should be a company-wide effort. By having a trained workforce sharing the burden of the most basic responsibilities, the cybersecurity team’s resources and efforts can be devoted to focusing on maintaining an environment that promotes and enables good cybersecurity hygiene.
This blog post will explore:
- How Breaches Impact Each Division of the Company
- How To Get Buy-In From Each Division For Implementing Security
How Breaches Impact Each Division of the Company
A breach today is not just the IT department’s issue to deal with. These digital breaches have clear, tangible costs for all aspects of the company. To that end, we’re going to discuss the costs associated with a breach in a different way: by describing how it affects each division of the company.
This shift in framing makes it easier to understand that the responsibilities and consequences of a breach affects everyone in the organization:
- their individual jobs
- their workload
- increased difficulty to their workflow
- loss of previous work
From there, security professionals can get support from their coworkers. Approaching the subject from this angle will result in greater buy-in from the entire organization.
Let’s explore how their work responsibilities are impacted after a corporate breach. From here, we can review how security professionals can get their buy-in. Though the list may be different for each company, as a general rule of thumb each company has the following divisions:
- Marketing and Sales
- Product and R&D
- HR and Legal
- Information Technology
Marketing and Sales
Marketing and Sales individuals should care about their role in security because a breach impacts the company’s image. It becomes significantly harder to ask for data or generate inbound leads when your company’s latest data breach scandal is a quick search away. The marketers now need to do damage control for the company’s reputation, a process that can be set back by the threat of another breach.
“Reputation losses and diminished goodwill” make up part of the $1.59 million average cost of lost business in a data breach (Cost of a Data Breach 2021, page 16).
Sales calls are already tough. Sometimes, the first thing a prospect does is search your company’s name; it becomes awkward for the sales team when the recent breach has made the headlines. The sales team does not want to prepare for prospects asking about that latest breach, why they should trust your company with anything, or current accounts choosing to not renew the contract.
Here’s how you can convince Marketing and Sales to buy-in: Avoid negative reputation and maintain goodwill by minimizing breaches. Apple infamously touts maintaining user privacy as part of their marketing campaigns. While there isn’t any public data on the positive effect this has on their sales, the fact that Apple maintains this marketing message implies that the positives are not insignificant.
The finance team is probably mired in paperwork if banking and/or payment processing information was potentially compromised in the breach. They may also need to work to authorize funding for third party security specialists after the breach. If theft or fraud happened, the finance team has additional work to comb through to understand what was stolen, what may have been changed, and more.
If the breach involved ransomware, more funds need to be allocated — “The average ransom paid by mid-sized organizations was US$170,404” in 2021, and “the average bill for rectifying a ransomware attack, considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc. was US$1.85 million.”
Or was it an insider threat, which costs an average of $15.38 million in 2021?
Here’s how you can convince the Finance team to buy-in: Ideally, provide the numbers. In fact, if any of your company’s competitors have been breached, use their unfortunate experience as a baseline for understanding the cost of an equivalent breach for your company.
Product and R&D
This refers to those responsible for creating the product(s) and how their workflow is impacted by a breach. As modern digital infrastructure becomes an inseparable part of modern workflow, efficient companies will see productivity grind to a halt by ransomware and breaches. This disruption of workflow will hurt a company’s bottom line.
Malicious attacks that destroyed data in destructive wiper-style attacks cost an average of $4.69 million.~ Page 8, IBM’s Cost of a Data Breach 2021
Supply chain attacks can lock the Product and R&D out of their systems as they wait for IT to recover from the backup (assuming the backup was not also wiped or locked). The fruits of their labor, such as intellectual property and data, are now being sold on the dark web. Maybe the source code is out in the wild as a result of that breach. Maybe multiple zero-day vulnerabilities have now been discovered, requiring R&D to work overtime to push out a patch. To make things worse, most organizations only recover 65% of data after paying the ransom.
And what if the product is a platform or service that is now experiencing a denial-of-service attack? Imagine if a breach results in your company’s platform or service being down for just five minutes — how much in revenue is that? Someone better ask the Finance team.
Here’s how you can convince Product and R&D to buy-in: They are probably already bought in, they just hate it when security gets in the way of their workflow. Security should not be a growth blocker but a growth accelerator. The Product and R&D teams want security to be in the background so they can be productive with the confidence that their work and progress won’t be arbitrarily lost or stolen. It is our job as security professionals to provide a secure environment that enables this mindset.
HR and Legal
HR has a tough decision ahead of them after the recent breach: Should we make everyone sit down for another cybersecurity awareness training or not?
Depending on what caused the breach, it might be very clear that some people did not pay attention on how they can be socially engineered. To top it off, the HR team now has an emergency task to hire more security staff and look up third-party specialists for doing a sweep of the company’s internal networks.
Making it worse, there’s whispers that the breach was the result of an insider attack. The question is: was it just employee negligence? Is the employee a malicious insider? Or was it an imposter that used stolen credentials? Separating facts from suspicion is incredibly difficult and costly, with the average annualized costs of insider threats being:
- $6.6 million for negligence
- $4.1 million for criminal insider
- $4.6 million for credential theft
Legal has their own headaches after a breach: expenditures and costs have only increased.
IBM’s report found the average cost of a breach at organizations with high level compliance failures to be $5.65 million USD. The press release admitting a security breach has happened probably needs to go through legal as well. And if Personally Identifiable Information (PII) was stolen, legal needs to know so they can notify those customers. Not to mention the Legal team needs to talk to the Finance team about allocation of funds for compliance fines and audits.
Here’s how you can convince HR and Legal to buy-in: Improved cybersecurity hygiene will give them significantly less paperwork. They don’t need to play the bad guy in the organization, forcing people to sit down for another extended training session. HR and Legal definitely don’t want to conduct an audit to levy accusations of suspicious activity against their coworkers. A win for the company’s cybersecurity hygiene is a win for them.
The IT department probably saw the writing on the wall because no one at the organization took security seriously. Now they’re running around putting out fires and resisting the urge to say “I told you so.” The breach they warned about has happened, and while it should be a strong incentive for the company to provide IT with the budget and personnel for upgrading and implementing new systems, management will defer. The IT department head will consider applying elsewhere and changing their legal name to Cassandra.
Here’s how you can convince IT to buy-in: You show them this blog post and tell them they’re doing well. You start tracking “Days since last breach” and use it as an internal KPI with the company, except it is a company-wide KPI. The IT team wants to know they’re not the company’s sole bulwark against the unending tide of attackers. Thank your security team today for helping keep your information safe.
Management is angry that this happened for all the reasons above: the company’s brand is damaged, customers are churning, previously forecasted earnings and sales may need to be walked back as a result, and IT is bugging them about an upgrade that does not improve profits in any of the company’s models. Also, the breaches are cutting heavily into projected profits — why is the company paying millions a year as a result of breaches?
To top it off, the C-levels now have their account authorization levels significantly lowered and they need to go through IT for access in the future — all because one of them clicked on a link by accident.
Here’s how you can convince Leadership to buy-in: You show each of them the various ways a breach affects the division they oversee, ideally tying a breach into how it negatively affects their KPIs and OKRs. It doesn’t have to be hypothetical — company breaches are weekly occurrences and you can even narrow it down by searching for breaches in your industry.
The aftermath of the breach isn’t just the cleanup, restoration, public shaming, and tour of apology. It’s the heightened sense of insecurity due to newly exposed vulnerabilities; in 2021, 85.3% of organizations experienced a successful cyberattack and 40.7% experienced more than 6 attacks.
Once an organization’s security has been breached, the internet’s entire suite of attackers know that this organization can be breached. Making it worse, data breaches are liable to expose the organization’s employees to follow-up social engineering attacks in their personal or work lives. A successful breach is the beginning of a protracted, recurring nightmare of costs and corporate lack of confidence.
A company-wide effort is necessary for maintaining security against the modern threat landscape and it is up to security professionals to lead the culture shift within their organizations. Enable this shift in mind-set and workflow by implementing a secure environment that serves:
- End users who need something like a VPN
- DevOps who need a way to quickly provision resources
- Developers who want control over their application environment
It’s never too late to reevaluate the organization’s security posture and integrate security with all of the organization’s activities. The value of having security built into the process is going to reward the organization in the long run.
“More than six out of seven organizations (85.3%) experienced a successful cyberattack within the last 12 months.” When your organization’s security posture is inadvertently put to the test, do you have confidence in it? Is it time to reevaluate your security posture?
Until next breach! Hopefully, yours is relatively contained.
More in CyberSecurity
Your Portal is Showing
How to Prevent Insider Attacks
Highlights from IBM’s Cost of a Data Breach 2022
Minimizing CORS Misconfigurations
Cross-Origin Resource Sharing (CORS) is a security mechanism that allows web browsers to only make requests to a different domain if that domain has explicitly granted permission. This is done to prevent malicious websites from making unauthorized requests to other domains and misconfigured CORS can be easily exploited by hackers. The problem lies in how […]