BUSINESS IMPACT OF BREACHES - Information Security A Practical Guide: Bridging the gap between IT and management (2015)

Information Security A Practical Guide: Bridging the gap between IT and management (2015)

CHAPTER 2. BUSINESS IMPACT OF BREACHES

Chapter Overview

One of the key issues when joining an organisation is understanding the value of the data the organisation has. As you speak to different members of the business they will insist that nothing is more important than their data. This is of course not true in all cases, and the real challenge is to prioritise the importance of all the information so you know where you need to focus your efforts and time.

The best way to understand the value of data is to assess the impact on the business should that data be compromised. Impact on the business comes in many forms: reputational, financial or even legal; any of these could put an organisation out of business.

This chapter discusses the different types of data and gives you the ability to assess the impact on the business should the data be compromised. I have used broad terms to cover as many different types of data as possible, and the one size fits all method should be applied with some common sense. It is often best to discuss these areas with those who are responsible for the data as they have the best understanding of the impact.

Objectives

In this chapter you will learn the following:

• Broad types of data

• Impact of compromise.

The impact of compromise forms the basis for my quick and dirty risk assessment discussed later in the book.

How to Assess the Impact

In the following sections you will be presented with some broad data types, this is to broadly categorise the data your organisation has and to begin to understand its importance in the wider organisational context. You will then be given some business impact areas in order to assess the impact of the data. What you must do for the dataset you are assessing the impact of is assess whether confidentiality, integrity or availability is compromised. An impact on any aspect of CIA has varying levels depending on the data and the business. For example, customer data will have a bigger impact if its confidentiality or integrity is compromised, whereas compromise of its availability will be an annoyance, but is less likely to impact us as much.

During your assessment you should consider the impact of a single record from the dataset against the entire dataset. For example, if an eCommerce site lost a single product from its online store then the impact would be much less than the loss of its entire product range. It may also help to consider how the impact would scale as a larger proportion of the dataset is compromised.

Finally, consider any links to other datasets. When data is linked with other datasets it can have a major impact on the business. For example, a simple dataset of UK postcodes that is used on the eCommerce website would be an annoyance if it was corrupted. But, if that dataset is used for delivery addresses for our customers then the impact could be wide-reaching and severely damage our finances and reputation.

Data Types

Core business data

Core business data will almost certainly be considered the most important by the business; it should be the organisation’s reason for being. This data forms the heart of the business or allows the business to function. For example, Netflix has a vast array of TV shows and films, and if this was lost then their service would be severely disrupted. Another example is if all the products for sale on eBay’s website were deleted from its databases then they would not be able to carry out their primary business function. It is important to understand what data the business has and what data is considered key to business function.

Personal data

Personal data is data that relates to people, whether it is your customers or own staff. This is data that relates to their identity, so their name, address, data of birth and so on. Usually this data is kept to facilitate core business function and may be as equally as important to the business. If we borrow our previous Netflix example but this time our customer data is compromised, our business could be impacted in the same way. Customers may not be able to access the service or if the data is stolen, Netflix could find itself on the wrong side of legal action.

Personal financial data

Personal financial data is any financial data relating to customers or staff members. In the case of our staff this could be part of a payroll system so could include bank account details. In the case of customers this could be card and payment details as well as bank account details. This is the sort of data targeted by hackers as it is often a quick win for them financially.

Company financial data

Company financial data can fall into two categories: data relating directly to finance – so accounts, bank cards and other directly related financial data – and data relating to sales and purchases, such as accounting data a company keeps for its balance sheet. The sensitivity of this data can vary depending on who the organisation is and what it does. For example, a government department is required to disclose its financial data each year, whereas a private company does not have to do so. Also, the sensitivity can be dependent on how healthy the organisation’s account data is; an organisation in bad financial shape may want to keep this fact from the wider public so as not to scare away potential investors.

Third-party data

Third-party data is another set of data that is hard to define generally, as it is any data given to you by another organisation. It could be purchased or provided under contract. The data could have varying degrees of sensitivity depending on what it is and how the organisation intends on using it. Any controls or responsibilities are defined in a contract between your organisation and the provider of the data.

Impacts

Under each area of impact I have given three levels of impact, ranging from minor to major. I have purposely included three for each, as these three levels are used later in the quick and dirty risk assessment chapter. The three areas roughly relate to low, medium and high.

Reputational Damage

Reputational damage is often the most difficult to define, as it’s hard to put a number on the level of reputational damage. The best way is to think about who would care if there was a data breach. The more people who care, the wider the impact is likely to be, and this impact will also be affected by the size of the organisation and its current reputation. An organisation with a bad reputation is likely to attract extra attention.

National news

Would the breach make national news if it was public? Would the breach be front-page news or be covered by several national newspapers and news channels?

Local or specialist news

Would the breach make local or specialist news if it was made public? Would the breach be published in local newspapers and be broadcast on local news broadcasts? Is the breach likely to only attract specialist news outlets with an interest in the subject or sector your organisation operates in?

Minor discussion

Has the breach only generated minor discussion, perhaps between customers or those affected by the breach? Have mainstream news outlets shown no interest in the breach? Has your organisation even been approached to make an official statement?

Personal Impact

Personal impact is perhaps the most damaging to an organisation, because it often affects the customers themselves. If enough people vote with their feet and take their business elsewhere, this can cripple an organisation. This type of impact can inflate quickly by the number of people who are a victim of the breach. A recent high-profile breach of this nature was to Sony’s PSN network where a number of user details were stolen. The impact of this type of breach varies considerably depending on the nature of the breach and the local attitudes to information security.

Personal finance

Financial data relating to a person can be the most crippling to that person if lost. For example, if an organisation was to lose a person’s bank details then there is the possibility of their accounts being emptied. Financial data is often the most sensitive to the individual and can have a dramatic impact on that person’s standard of living. It is highly likely that this type of breach would result in both a criminal action against the organisation and a civil prosecution along with the likelihood of being sued.

Personal identity lost

Although still a sensitive area, often people’s attitude towards their identity is somewhat more relaxed than that of their financial information. An example is the amount of personal information people share on Facebook without hesitation. That said, if a breach of your organisation’s personal data leads to identity theft of your customers then it is likely your organisation will be held liable.

Minor personal data lost

Minor personal data is any data that wouldn’t result in the loss of a person’s identity. So, for example, a username and password or even an email address. The breach would still be an annoyance to those involved but it is unlikely to cause long-term distress to the individual. Often the real impact is to the organisation that has to work to encourage users to change passwords so that further compromise doesn’t arise.

Contractual Impact

Contractual impact relates to any business contracts your organisation may have with another, either for the provision of a service or data. So, for example, you may have outsourced your cleaning services to a third party or you may purchase Google Earth data. This section details the impact on a contract should the data be compromised, for example if your organisation lost the personal details of the cleaners currently deployed to an office.

Loss of contract

This is a straightforward impact to assess: would the data breach result in the termination or loss of a contract? This impact obviously scales depending on the size of the contract and its importance to the business. But there is more than one way to lose a contract, for example the breach means a clause within the contract itself has been breached causing termination, or you are currently in the bidding process and the breach causes the proposal to be withdrawn.

Contractual fines

This is less severe than the loss of a contract, but again we need to be pragmatic about how it is defined. Some larger contracts may attract larger fines than the entirety of a smaller contract. An example could be the provider of your desktop infrastructure vs the company that delivers the coffee.

Contractual warning

The breach is acknowledged by the third party but no specific action is taken, the incident is logged and your organisation is reminded about its contractual obligations. Although this isn’t a severe impact, if a number of these low-impact events occurred then it could result in a fine or termination of contract.

Financial Impact

This is the most traditional way to measure impact on the business – the estimated cost of the impact. Often when the cost of a data breach is quoted people often dismiss it as being inflated, but I want to clarify where the additional cost comes from so that your own assessment takes this into account. Let’s say, for example, our organisation is an e-commerce business and on average we make £10,000 an hour from our website; our website is down for six hours so that totals £60,000. The actual cost of the breach will be much greater as we need to add: the cost of the staff involved in managing the incident, the cost of investigating why the incident occurred and finally any actions taken to safeguard against the incident in future. The cost of specialist skills to carry out an investigation can be expensive, as can the cost of new IT infrastructure to prevent a further occurrence of the incident. This is why the figures quoted for financial impact are typically higher than just the money lost through lost trade. The following levels of impact are easily defined; however, depending on the size of your organisation you may need to adjust them so that the costs reflect accurately the impact your organisation would feel.

More than £1 million

The total cost of the incident is in excess of £1 million, which includes loss of trade and the inclusion of incident management and any future actions.

More than £250k but less than £1 million

The total cost of the incident is in excess of £250,000 but less than £1 million, which includes loss of trade and the inclusion of incident management and any future actions.

Up to £250k

The total cost of the incident is less than £250,000, which includes loss of trade and the inclusion of incident management and any future actions. Note that the very fact your organisation cares enough to respond to the incident means that this level is reached.

Legal Impacts

The legal impacts purposely only have two levels, which is because (and I know it’s never a simple matter) you are either within breach of the law or not. In the UK we have two types of law: criminal and civil. Criminal law relates to crime and breaches of the various UK laws, and civil law focuses on disputes between two parties. The biggest difference between the two in terms of punishment is that breach of criminal law can result in a prison term, whereas breach of a civil law is only punishable by financial penalty. Often if you are in breach of criminal law you will also invite a case under civil law, especially if the victim feels they should receive compensation.

Criminal law case

The breach has brought about a criminal investigation or the police are considering it. The organisation has liability if such a case is brought forth and will be required to defend itself in a court of law.

Civil law case

The breach has brought about one or more civil cases against the organisation. You will need to consider the size of these civil cases to determine the level of impact. It is worth relating the cost to the financial impact section in order to better assess the level of impact.