The tremors when a security/privacy incident occurs
First of all, we should be knowing that information security and privacy are not the same and there are some distinct lines of differences between both.
Information Security — It is about protecting all data from unauthorised access, modification, use, destruction, and disclosure. Confidentiality, Integrity and Availability are the core principles of information security.
Information Privacy — It is about protecting personal and sensitive personal data from unauthorised access, modification, use, destruction, and disclosure. But additionally, privacy has to do with the 3C’s — ‘’Choice, Control, and Consent” and this is where it mainly differs from information security.
Also it is to be noted that Information Security is backed by Standards, Compliances, Contractual commitments, and the like, while Information Privacy is backed with Regulations, Contractual, organisational commitments, and other ‘law’-powered provisions.
On a general note, the below occurs when an organisation faces a security or privacy incident/breach.
1. Breach of the Trust that users have on the organisation and its products, services
2. Public Response — Negativity and blame
Here are some other tremors that accompany an incident:
3. Incident analysis and Root Cause Analysis involves a HUGE EFFORT.
Observing the incidents that happened in the past in the Saas environment, it takes an average of at least 100 man-hours to get some level of clarity on the issue, identify the bug, and get the patch ready. This is about 10 people working for 10 hours a day. Why waste time in this while we could be developing new features or driving more sign ups?
4. Drafting of emails, blogs and social media messages to be put up publicly.
This takes about 8 hours to finalise the content, especially the email (the content may vary based on country, type of incident, scope of the incident, different logics, as in a content if a user used a particular feature in a particular way while another content for another user who used a particular feature in an another way).
It would involve multiple rounds of review before it is post-worthy. On an average it takes the effort of 3 people working for 3 hours per day on this. Consider weekends and different timezones (eg. comms review teams helping in the review from the other side of the world, timezone issues).
5. Investigation, forensics and notification efforts
I’ve worked on a number of incident analysis and it is seen that some issues or finding the exact number of affected users and the like need the help from experts and SMEs. So we may even need to hire external security specialists and lawyers to trace the root cause, conduct forensic analysis, create legal documents, etc. During this phase too, it involves the involved teams to spend close to 70–100 man hours assisting the external team in the analysis.
Adding to it, on an average it costs about Rs. 1–2 Lakhs per day to pay for these external specialists(varies based on the issue/incident severity and scope).
6. Forceful compliance reporting
Regulators(such as the FTC, EDPB) will mandate us to comply with their orders and provide report of compliance to them on a bi-annual basis(eg. Equifax). This takes up double the time of the central compliance, security, privacy and incident teams to audit and prepare these reports instead of trying to go for new certifications for our company that would help improve the business.
7. Drastic decrease in new customers
The organisation would be all over the news and social media that it would be their first point to strike that company off their third party vendor assessment checklist! P.S: ‘Has your organisation experienced any security incident in the last 5 years?’ is one of the FAQ’s when prospects look to purchase a product / service. The company would have to answer ‘Yes’ and their automated evaluation tools would disqualify them.
The above are just the external facing problems. The below are the internal repercussions of an organisation facing an incident:
1. New and stricter rules which would certainly cross the path of the organisation’s culture and productivity. We don’t want such, do we?
2. Creation, updating of policies, procedures and other documents. More writing work. Not everyone likes to write(“#UnProductive”) so much, right?
3. May even lead to firing of employees, depending on the severity of the incident (especially if the incident occurred due to an act of negligence or is voluntary). Would the organisation want to waste time finding and training another resource?
4. Additional training for employees. The organisation may need to spend more time attending training sessions, taking up more tests!
5. Restructuring in the organisation (could happen).
6. Heavy financial losses (yes, the very same hard-earned money that the organisation get when users purchase the services or applications of that company):
a. To pay for the external specialists(forensics, attorneys)
b. To pay for the press and PR(public response)
c. To pay users(monetary compensation as agreed in the MSA, DPA for breach response and breach of contract)
d. To pay for mandatory services such as Identify theft monitoring, Credit monitoring
e. To pay the Regulators
f. To refund customers if they downgrade after the incident
g. To pay for Breach Notification to the end users of our customers(yes! this is may mandated by customers in their agreements with the organisation such as in the MSA and/or the DPA)
If the organisation ends up losing/spending a lot of money as a result of an incident, the organisation may have to cut down on the employee count, employee benefits(cab, food, gifts) and appraisals too in order to compensate for the above mentioned expenditures.
I’m sure no organisation want this to happen and we all have the right attitude to prevent any such an occurrence from happening. However, things don’t always go the way that we expect it to. Unless the company pro-actively prioritise Information Security and Privacy efforts in its daily activities(right from concept design to production and management), and have layered protection (defense-in-depth), it would still be facing the giants at the border lines!
