Data breaches cost time, money and reputation. Two recent cases in point are the Epsilon data breach and the revelation that personal information belonging to 3.5 million Texans was inadvertently exposed on the Web.
In both cases, the data breaches shine a light on the importance of protecting data, but what about how organizations should act in the aftermath of a breach? For compromised companies, the question is an important one -- and one that presents an opportunity for security VARs and vendors.
Research from the Ponemon Institute has shown in the past that companies that move too quickly after a breach can often end up costing themselves more money. In its analysis of data breaches in 2010, the institute found that while 43 percent of the companies notified victims within one month of discovering the data breach, these “quick responders” paid an average of nearly $100 more per record ($268 compared to $174) than those who took longer.
“Our results suggest that moving too quickly through the data breach process may cause cost inefficiencies for the organization, especially during the detection, escalation and notification phases,” according to the Ponemon report.
Once a breach has happened, there are four tasks for companies to prioritize, Will Irace, director of threat research for Fidelis Security Systems, told CRN. One, identify the attacker; two, uncover the technical details of the breach; three, assess and improve cyber defenses and strategies; and four, communicate responsibly with the victims.
“Each of these discrete tasks represents an opportunity for vendors,” he said. “No specific technology, including encryption, can be regarded as a solution except as part of a coherent broad strategy for handling data breaches.”
In the case of Epsilon, the company was quick to notify customers, but left details of the actual attack under wraps. The company, which is owned by Alliance Data and offers marketing services for more than 2,500 clients, announced April 1 that an attack on its e-mail system had been detected March 30. The attack exposed e-mail addresses and or customer names for roughly 2 percent of the firm’s clients, including Marriott International, Walgreens and others.
Shortly after being notified by Epsilon, several companies issued alerts of their own. Marriott for example told customers April 4 that an “unauthorized third party gained access to a number of Epsilon’s accounts, including Marriott’s email list.”
Victims of the Epsilon breach faced potential fallout in the form of spear phishing, a threat that prompted warnings from security vendors and the Better Business Bureau.
“It seems to me that customers, the public and the security community are helped by maximal disclosure, so that customers can take appropriate steps to protect themselves, the public can increase its awareness of data breach risks in general, and the security community can improve its practices when it comes to preventing and responding to breaches,” Irace said. “Companies may be understandably reluctant to share the preferred level of detail, in order to protect their reputation or other information deemed secret.”
Next: The Role Of Law Enforcement Authorities