Data breach investigations ‘should focus on business impact’

Data breach investigations ‘should focus on business impact’, says McAfee researcher [Image: matejmo via iStock]

When a company suffers a data breach, the subsequent investigations tend to focus on the attacker and what motivated them.

However, Raj Samani, chief scientist and fellow at McAfee has told Computer Weekly that there should be more focus on the resulting impact on the business.

He pointed to the recent Equifax breach – in which up to 145.5 million consumers may have had their personal data exposed in a hack of the credit rating firm – as an example.

According to Mr Samani, it is “remarkable because of the impact that it has had, not only on the Equifax business itself, but on the company’s executives,” many of whom have resigned since the breach became public, including the chief information officer, chief security officer and chief executive officer.

He explained that this shows more attention is “being paid to the business impact”. However, he added that one of the reasons this is not seen earlier is that “it takes time for the full impact to be understood and come to the fore”.

The effect of a data breach on a business can be devastating. A recent report by global advisory firm Oxford Economics and IT and business process services firm CGI found that cyber attacks on FTSE 100 firms lead to losses of 1.8 per cent of the share price, or £120 million on average.

Mr Samani said that roughly 1.9 billion records will have been leaked or stolen in the first half of 2017 – more than in the whole of 2016. He told Computer Weekly that this means 1.9 billion “people’s lives have been affected” by their data being exposed, and potentially in the hands of someone with malicious intentions.

This will undoubtedly have a major impact on companies, with customers losing trust and then choosing not to continue doing any sort of business with them. Therefore, Mr Samani said, businesses have “remarkable” opportunities to identify those individuals who can help to drive innovation in security strategy. He added that businesses should look at ways of returning value.

He said that organisations should focus on three factors: transparency, informed consent and value. He explained that customers will be more likely to be willing to share their information if businesses can inform them of what they will be doing with any data collected and demonstrate the value they will offer.

Transparency is not just recommended to businesses before a breach – consultants advise companies to be open about an attack after the fact. A cover up will create more distrust among customers, while reducing the amount of time they have to put any contingency plans into action.

The effect of a data breach on a business can be immense. It therefore makes sense for the resulting focus to be on that impact in order to give companies the best chance of helping their customers through.