Tactical Advice

The Cost of a Breach

One breach can ruin your business, but there are ways to prevent, detect, respond to and remediate the worst cases.
This story appears in the December 2008 issue of BizTech Magazine.
Gerard M. Stegmaier of Wilson Sonsini Goodrich & Rosati

A recent estimate by the Ponemon Institute pegs the average cost of a large security breach at $6.3 million. Such a breach could cripple or even bankrupt a small business. Preventing security breaches and managing them when they occur have become a critical piece of every company’s information governance program.

Prevention, detection, response and remediation are the critical phases in planning for a security breach. Because virtually every state has passed legislation modeled after California’s security breach notification law SB 1386 — which requires custodians of personal data to notify affected parties in the event of a breach — more companies have begun to focus on these issues.

Let’s start with prevention. The most common type of breach is internal. Employees may volunteer information to outside individuals when they should not, or access to company information may not be cut off when an employee is terminated. Companies can take steps to improve security by creating specific written policies that are regularly audited. Such policies often require businesses to:

  • Regularly change passwords and discourage employees from choosing obvious passwords or leaving their passwords in plain sight of their computers.
  • Appoint someone who has the authority to make necessary improvements and conduct unannounced tests that penetrate the company’s systems and identify vulnerabilities.
  • Terminate network access, including remote access, for recently discharged employees.
  • Develop information use and access procedures to manage the company’s data.
  • Create a written incident response plan that helps the company respond systematically to security breaches.

Detection and response may be the most difficult aspects of dealing with threats to an organization’s data. While intrusion detection technologies have improved, even when companies have adequate internal security protocols and procedures, IT managers may be reluctant to admit that their systems have been compromised. They may also be inclined to investigate on their own, potentially delaying an effective response and increasing the company’s liability.

When a company suspects its systems have been compromised, it should immediately seek legal counsel. Another important decision is whether or when to call law enforcement agencies.

This decision requires weighing the cost and benefit of relying on internal or private resources before (or in lieu of) contacting law enforcement. The use of law enforcement inevitably entails a certain loss of control, presents coordination and interference issues, and may lead to negative publicity or disruption of the company’s business.

Gathering the facts remains among the most important activities in responding to an incident. Having appropriate systems in place can be invaluable in determining if a breach has occurred and identifying its scope. Preserving evidence may require specific and unusual measures that may be unfamiliar to many employees, especially the IT pros who might initially respond.

Remediation may overlap other steps in timing, but it is often the most important as a test of the company’s preparedness. Having clear internal lines of authority and establishing relations, in advance, with key outside actors may be valuable. Knowing appropriate local law enforcement personnel may be helpful. Understanding the company’s insurance coverage can also be invaluable, as many insurers now offer coverage for the costs of incident response and breach notification.

Finally, when data is central to a company’s success, elevating security to the corporate governance level may be wise. Because of potential liability, top officers may find themselves confronted by costly litigation as a result of the security measures they took — or failed to take. Given the potential consequences, companies must be prepared to manage these issues.

Gerard M. Stegmaier is an attorney in the Washington, D.C., office of a national law firm and an adjunct professor at George Mason University School of Law where he specializes in privacy and information governance.
Sign up for our e-newsletter

Security

Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.