Organizations Still Paying Breach Costs After Remediation
A new report from SANS Institute examines the costs that organizations deal with after they clean up from a breach.Data breaches often result in myriad costs for victimized organizations and individuals. A new study from SANS Institute, sponsored by Identity Finder, found that even after organizations remediate the immediate cause of a breach, there will still be ongoing cost consequences. Barbara Filkins, senior analyst at SANS Institute, wanted to take a different tact to the analysis of data breach costs than other reports, notably the Ponemon Cost of a Data Breach and Verizon Data Breach Investigations Report (DBIR). (The 2015 Ponemon Cost of a Data Breach report, sponsored by IBM, found that the average cost of a data breach is $3.8 million.) In Filkins' view, the other reports focus on the front-end costs of data breaches as opposed to what can be done to mitigate the damage after an attack. At the top end, the SANS report found that 31 percent of the surveyed organizations incurred post-breach costs of between $1,000 and $100,000 as a result of a data breach, and 23 percent experienced costs of $100,000 to $500,000. Looking at the root causes of the data breaches, 35 percent of respondents noted that a hacking or malware attack was the primary vector. The study also asked about how long it took organizations to fully remediate a breach, with 38 percent of respondents reporting it took three months or longer.
Going a step further, even after the breach remediation was considered to be complete, most respondents experienced residual issues, including potential litigation, fines and brand reputation concerns. Only 35 percent reported that they had no lingering effects after a breach was considered to be remediated.