Photo of computer code

The Cost of a Government Breach Is More Than Monetary

20 Nov 2015 by Bob Violino

While the minimal costs associated with a data breach at a business can include exposure of customer credit card numbers and other financial information, there are many more significant costs that come with a cyberattack.

With government agencies, as with healthcare organizations, the data involved oftentimes is especially sensitive. It can include Social Security numbers, fingerprints and private, protected identities.

Then there are the costs that are not as easy to account for and that are long-lasting and might surface later, such as credit protection services, the need to re-vet  particular individuals and compensation for data breach victims.

And just like businesses that have been hacked, government agencies will need to rebuild the confidence of the public after a data breach has occurred and placed individuals’ personal information in jeopardy.

“After a breach, there will be many costs associated with winning back customers and rebuilding customer loyalty, all of which can vary widely depending on your business and industry,” notes Forrester Research in its Jan. 12, 2015, report, “Understand The Business Impact And Cost Of A Breach.”

“Typically, banks and hospitals are affected the least here, since consumers are averse to the hassle of changing from one bank or hospital to another. Retailers, restaurants and hotels may see greater fluctuations as consumers can more easily take their business elsewhere. B2B companies can face brand costs in the form of delayed contract agreements and lost business as well. Most organizations have a good idea of how much it costs, on average, to acquire a new customer as well as average spending per customer and can thus extrapolate the total recovery costs and lost revenue.”

Building back trust

With government agencies, in most cases it’s not a matter of having to retain consumers after an attack, because there usually isn’t an alternative for the consumer. For example, after the IRS reported a data breach in May 2015, it’s not likely that any U.S. citizens began looking for a different organization to which they could file their tax returns.

But any high-profile data breach can lead people to lose trust and confidence in an agency, and they might not be as forthcoming with personal information in the future if they think the organization is not doing all it can to protect data. Furthermore, if employee data is exposed in an attack, those workers affected might not be as inclined to share certain information with their employer in the future, or they might look for work elsewhere.

Agencies need to take the same approach to security as private-sector organizations: Assess the entire information security program to find areas of weakness, then take steps to address those vulnerabilities.

When looking to enhance security, government agencies do not need to go it alone. They can collaborate with other organizations in government and in the private sector, bring in managed service providers and subscribe to threat intelligence services as part of the effort to improve security and get the latest intelligence about threats.

The federal government, including the U.S. Department of Homeland Security, has reached out to businesses to ensure the government and the private sector benefit from each other’s research and development initiatives. And Congress has made efforts to promote information sharing about cybersecurity threats.

Going through government programs

The agencies that are looking to deploy or expand cloud services and are concerned about security can leverage the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.

FedRAMP, a collaboration among cybersecurity and cloud experts from the General Services Administration, National Institute of Standards and Technology, Department of Homeland Security, Department of Defense, National Security Agency, Office of Management and Budget, Federal Chief Information Officer Council and private industry, aims to save agencies significant costs and manpower by conducting redundant agency security assessments.

In addition to cost savings, among the key potential benefits are increased re-use of existing security assessments across agencies; improved real-time security visibility; a uniform approach to risk-based management; enhanced transparency between government and cloud service providers; and improved trustworthiness, reliability, consistency and quality of the Federal security authorization process.

If you need an extension to your IT staff to help secure your agency, contact Insight at 1.800.862.8758. If you're still researching on your own, learn more about emerging security solutions online.