Forget data protection regulation!
(No don’t, but let’s suspend data protection regulation and fines for this article)
While POPIA and GDPR come to the fore when it comes to fines and risks related to data protection, it’s important that we don’t forget that they are not the only financial impact an incident will have. Recently, I’ve been advising on a few incidents as well as chatting to some InfoSec counterparts in the UK about their experiences, and the costs involved in any sort of incident are staggering.
This requires a “drop everything and respond” approach. The longer you have an open incident, the more at risk you are. In the event that data is being ‘bled’ from your company, the longer you wait, the more data falls into the hands of outside parties – and the liability increases with every record. If you are dealing with outsourced teams (which many small and medium sized businesses are), there can be a surcharge for an instant response or for specialist advisory.
Containment often requires senior consultants on the ground. I use the plural of consultants because hacks and exploits are often complex and deeply entrenched in systems once the initial incident has occurred. This requires experience in different systems, and this costs money. Depending on the incident, it can also involve shutting down parts or all of your network. Here we are talking major productivity and person-hour losses, both internally and from a revenue-generation perspective.
After an incident it is best practice to keep comprehensive records of the event that occurred. This again uses consultants’ time at hourly rates. Depending on the extent and complexity, reporting can take days for a small incident. This is not your consultants taking you for a ride, it really does take a while to collate all the information in a comprehensive way and translate it into an easy to understand and factual report that can be referred back to in the future.
Following on from reporting is the very real and recommended route of obtaining some legal advice. As much as my opening line was to forget data protection laws, they are far-reaching (especially that of GDPR) and will affect you if you’ve lost any data pertaining to someone in the EU. You will also need some advisory as an incident like this may have breached both your service agreements / contracts as well as any non-disclosure agreements (NDAs) you may have in place. Breaching these agreements can put you directly in the line of fire for civil action.
In many cases, if personally identifiable information is leaked from your business, you will need to pay for some sort of protection service or reparation to cover the damage. Again, this is at a significant cost to you and is directly related to the amount of data that is taken from the business.
Real World Example
Let’s look at some figures in these categories as to what some of the real world costs are relating to attorneys, IT professionals, privacy advisory and cyber security consultants. I’m going to use an example of an incident that I advised on recently in conjunction with a number of other professionals, all outsourced for a small business.
This incident involved an employee being tricked into responding to and entering his network credentials into a phishing scam email (an incredibly common occurrence). Containment happened within 2 hours and reporting and advisory continued for around 4 days after the fact. I’m leaving out privacy laws because in this instance no personally identifiable information was breached, but it could have been much, much worse. Let’s look at some of the direct and indirect costs below.
- Advisory costs for 3 full days (Privacy and InfoSec) at R 15,600.00 per day
- IT senior consultancy for 1 day removal of exfiltration at R 7,820.00 per day
- Legal Advisory costs of around R 3,450.00 per hour, for a small incident running at around 4 hours
- Entire staff complement offline for at least an hour (including revenue generating staff)
- Ongoing staff productivity losses of 4 employees for 2 days, at around R 1,500.00 per employee per day on salaries
- Revenue loss of 2 consultants during “lockdown” at R 13,600.00 per day
- 5 remote workers completely offline for an entire day
In total, for the 3 days of containment, investigation, reporting and advisory for an incident that was absolutely minor, the total direct cost was over R 80,000.00 (roughly US$ 5,500.00), while lost revenue was estimated to be at least R 50,000.00 (roughly US$ 3,400.00). Amounts not to be scoffed at.
Having advisory on retainer at reduced rates, having safeguards in place, and having awareness training are all players in avoiding the above kind of incident from occurring and mitigating it when it does. Unfortunately, these sorts of incidents will happen to any business, even with the best safeguards in place, but you can implement methods to reduce your likelihood and impact as to what is exposed. Had containment not taken place as quickly as it did, the company could have been in for so much worse.
So, do you erect a fence at the top of the cliff as a preventative measure, or do you pay for the ambulance at the bottom and hope for the best?
Ross G Saunders Consulting is a niche data protection, privacy, and InfoSec consultancy, working with a number of professional partners in order to help you as a business comply with data protection regulation and good practice. They help with business process, compliance, documentation and more, and can offer a full range of services to take the hassle out of data protection. Why not reach out to find out how they can help you gain a competitive advantage while simultaneously garnering support from your existing and potential customers.