-Tom Kellerman, CEO & Aaron Applbaum, Director of Investments
The insufficiency of perimeter defense has been a hotly discussed, and now overwhelmingly agreed upon premise. Major breaches over the past half-decade have forced consensus that not having security measures inside an organization’s firewall is irresponsible. Education is still required per metrics for success via the implementation of inside out security measures. Surely avoiding a network breach is an enterprise’s ultimate measure of success, though the supposition that an adversary is already on one’s network is realistic. When a breach occurs, the exfiltration process is not immediate- a hacker must maneuver, explore, collect information before she has found that which is valuable. Gone are the days of smash and grab cyber burglaries. In today’s increasing punitive cyberspace cybercriminals have transitioned from burglary to home invasion. Victim organizations are experiencing multiple criminal schemes of monetization. Data is stolen and subsequently the brand is used against her constituency via watering hole attacks and business email compromise campaigns.
According to Verizon’s Annual Breach Report: 81.9% of compromises are caused by breaches that took minutes to accomplish, while 67.8% of compromises took days to reach the exfiltration stage. The survey noted that it took months for a victim organization to respond to a cyber-intrusion. Given the reality that the cybercriminal has a footprint within ones’ network for an extended period one must alter their security posture accordingly. The metric by which we can assess the potency of a cyber-countermeasure, is how effective it decreases an adversary’s dwell time. Decreasing dwell time is the measurable metric by which we can value a return on investment for an enterprise.
Diving down into what decreasing dwell time affords the enterprise requires an examination of what the costs are to the enterprise when exfiltration of their data occurs.
The Ponemon institute unpacks the relationship between dwell time and the ROI associated with brand protection. They have calculated that US organizations pay around 4 dollars per customer post breach. The cost breakdown takes into consideration customer turnover, amplified customer acquisition efforts, and general “reputation losses and diminished goodwill.” The number one factor that impacts the cost is the time it takes to identify and contain a data breach. According to Ponemon “the relationship between how quickly an organization can identify and contain data breach incidents and financial consequences.”
“Figure 22 shows an upper-sloping linear relationship between total data breach cost and mean time for 383 companies in 12 countries. This significant relationship suggests the failure to quickly identify the data breach will lead to higher costs”
“Figure 23 also shows an upper-sloping linear regression line between total data breach cost and MTTC. Like the above, this significant relationship suggests the failure to quickly contain the data breach will lead to higher costs. If the time to contain the breach took less than 30 days the cost to contain was $3.18 million. If it took more than 30 days, the cost was $4.35 million.”
According to the Ponemon Institute the average cost per stolen record is $158 USD with a total average breach amounting to 4 million dollars (excluding the enormous tail-event mega-breaches), which is up 29% from similar events in 2013. When a breach occurs the first bucket of costs includes hiring a third-party entity to guide the organization through the process. Then there is the hiring of investigative services to conclude the nature and depth of the damage. The communications effort and customer outreach that is required then costs additional capital. There are then the long-term costs associated with legal representation, settlements and fines. According to the Ponemon Institute it is the retention of customers that is the most costly: “The biggest financial consequence to organizations that experienced a data breach is lost business…organizations need to take steps to retain customers’ trust to reduce the long-term financial impact.” It is here that more conversation needs to take place, the calculable costs of investigation and remediation are better understood. How extensive is the long-term damage that is less tangible? How can we begin to quantify the loss associated with brand degradation?
For starters, there is a real cost associated with customer churn, and elevated cost of customer acquisition and retention. The cost “X” to acquire a customer is different for every organization, but that gets more difficult when the company has a bad reputation. Retaining existing customers is costlier as breach-related churn is calculated around 2.9% in the United States, we have a “Y” cost of churn avoidance. The Intellectual property that is stolen from an organization if an adversary manages to exfiltrate not only customer data, but trade secrets successfully, then there is a “Z” value of loss of competitive advantage. Finally, there is a value “Q” for the personnel turnover. As some of those who are perceived to have allowed the company’s reputation to become sullied are fired, new, expensive people replace them, or get added to their team. The multipliers associated with X, Y, Z, and Q are different for every organization, given their size, industry, and the magnitude of the breach. It is important, however, to add these costs to the “four-million-dollar average” breach calculus. For financial institutions, the coefficients will be amongst the highest.
An equation to express how these variables can be used in tandem:
(1.01*X*Quantity New Customer) + (1.05*Y*Quantity Effected Customer) + ((Rev[Q4]−Rev[Q3])*4/Expenses_SalesMarketing[Q3]) + (S of Q Salaries of new hires and payouts for fired personnel) +($4,000,000 Incident response and notification costs)= T
These additional costs will all asymptote to zero as human memory fades, but not before causing long term damage, and as in the case of Yahoo, the damages get renewed more than once.
The more dwell time the adversary has in the environment, the longer it takes to detect and contain a data breach, the more costly it becomes to resolve, and the harder a brand’s reputation is hit. The most important step in maximizing ROI for investing in cybersecurity technology is deploying whichever solution maximizes brand protection.
Strategic Cyber Ventures has invested in a suite of complementary technologies that specifically aims to diminish adversary dwell time through intrusion suppression. Investing in intrusion suppression will keep costs down in the event of a breach by stifling the adversary’s exfiltration of meaningful data which, in turn, protects the reputation of the enterprise that has been breached. The most direct calculable return on investment for cybersecurity procurement is that which protects a brand by reducing dwell time.