Alert: Tracking exposed OT/ICS: 2017 – 2024

Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

How Much Does a Breach Really Cost

Cyber Bob, Principal Security Engineer and CTO at Forescout | May 21, 2019

Twitter: @MeetCyberBob

Let’s dig into some numbers of a high-profile breach to hit home the real costs of a cyber attack. This calculation can be applied to other breaches as well, so I’m not picking on anyone.

Equifax announced on March 1st, 2018 that they had been breached. It is now over a year later, some dust has settled and a proper analysis of the incident can be taken. While there are still some big expenses that will most likely roll forward, such as legal expenses, the reports show that the hack has cost the organization 1.4 billion dollars over the last 14 months. Let that sink in… 1.4 billion dollars from an organization that announced end of year results for 2018 was 3.4 billion.

The magnitude of the financial impact demonstrates that we need to reevaluate our approach to security across the organization. The Equifax end of year Financial report states “We must embed security into everything we do.The supplemental numbers from the report show why we need to make this change:

    • $690 million in legal fees
    • $82.8 million for technology purchases
    • $12.5 million for legal and investigative fees (in addition to the legal fees already mentioned)
    • $1.5 million for product liability insurance

The largest allocation out of the 1.4 billion spent? Operations costs, training and people made up $786.8 million, 56% of the current cost.

The source of the breach is quite interesting. It was based on the Apache Struts vulnerability. There’s a list of many vulnerabilities, but the particular vulnerability that hit Equifax was known for months. In fact, Equifax was even using a vulnerability assessment (VA) in their environment. Even with the VA solution, there were still had gaps in what they knew was patched/fix and what was being tested.

The best path? Eliminate the gap of not knowing what is connected to your network. When you want to know what is on the network— TALK WITH THE NETWORK! Agents and point in time scans will not get you there. You also need to verify on EVERY admission to the network what risk the devices brings to the network. Leverage your vulnerability scanning tools with your visibility tools to bring your cybersecurity ecosystem together. Device visibility and control. Not just a tagline, but a call to action.

For more of my musings on all things cyber, click here.

Demo Request Forescout Platform Top of Page