In Depth

It's Not Easy Being Breached: Calculating the Cost of a Cybersecurity Breach

Surviving an information security incident is just the beginning. Then you need to figure out what it really cost.

By Simone Kaplan

December 09, 2002 — CSO — Calculating the cost of an information security incident A veteran CIO of a new york city-based financial services company learned in july 2002 that several vital files had vanished from one of his company's 25 servers. An employee had tried to find some information and failed. That's when IS discovered that there was, in fact, no company information on that particular server at all. Panicked, the CIO and his staff went into emergency mode. They soon discovered that a hacker had found his way through their firewall and wiped out all the production files on the server, leaving chaos and a couple of strangely labeled files in his wake. Two frantic daysand 15 hours of work—later, the alien files were deleted and the missing data restored through backup tapes. But it took an additional two weeks to be sure that the hacker hadn't accessed and tainted any of the company's 24 other servers.

All told, the CIO (who spoke on condition that his name not be used) reported that the breach cost the company $50,000. But when asked how he came up with that number, he said he honestly couldn't say. Because he really wasn't sure.

"We didn't do a line-by-line breakdown of the costs because it didn't seem necessary at the time," he admits. "But consultant costs, loss of production time and overtime for the IT staff were part of it."

Even if CISOs can quantify the cost of a breach, few executives will talk on record about it. Companies have an incentive to downplay, or downright hide, such information. "It's embarrassing to admit that a hacker got through your firewall," says Tina LaCroix, CISO of Aon, an insurance provider. "Most companies won't give out the real information [about breaches]. They don't want you to know they have vulnerabilities because they make the CSO look bad."

"No one wants to be the company on the front page of The New York Times," says Thomas Varney, a director of technology assurance and security, who spoke on the condition that his Fortune 100 company not be named. But ignoring vulnerabilities won't make them go away. Every day (or so it seems), another consultancy reports dire new statistics on the cost of security failures. According to the 2002 computer crime and security survey from the Computer Security Institute and the FBI, 80 percent of the 503 security practitioners surveyed acknowledged financial losses due to cybersecurity incidents, but only 44 percent were willing (or able) to quantify losses.