Lapses in Security: The Bigger Picture

The business impact of even small lapses in the security stance can affect many areas of the business.  Determining business impact is most effectively accomplished by showing the financial impact of successful attacks such as malware and targeted attacks instigated by perpetrators inside and outside the organization, as well as the negative impact on any related business goals and objectives.

The following are some areas to consider when determining the potential financial impact of a breach in security.

• Downtime. What is the cost of computer downtime in your environment? What if critical business systems providing services to customers or financial reporting to executives are interrupted? Determine the opportunity cost of lost end-user productivity, missing transactions on critical systems, and lost business during an incident.  Downtime is caused in most attacks, either by the attack itself or the corresponding remediation required when recovering. Historical attacks have left systems down for several days.

• Remediation time. What is the cost of fixing a wide-ranging problem in your environment? How much does it cost to reinstall a server? Many security attacks require a complete re-installation to be certain that back doors (permitting future exploits) were not left by the attack.

• Questionable data integrity. In the event that an attack damages data integrity, what is the cost of recovering that data from the last known good backup, or confirming data correctness with customers and partners?

• Lost credibility. What does it cost if you lose credibility with your clients and/or customers? How much does it cost if you lose one or more customers?

• Negative public relations. What is the impact to your organization from negative public relations? How much could your stock price fall if you are seen as an unreliable company to do business with? What would be the impact of confidential company records falling into the hands of hostile programmers?

• Legal defenses. What might it cost to defend your company from others taking legal action after an attack?

• Stolen intellectual property. What is the cost if your organization's intellectual property is stolen, released or destroyed?

•  Other areas. What could the cost of forensic investigations, coordinating with law enforcement, and taking legal action against attackers be?

• Lost Opportunity.  There are direct costs associated with the time taken to “clean up” after an incident vs. time spent pursuing business objectives.