Cost of penetration testing < cost of security incident :)



The Cost of a Security Incident Is Usually Much Greater Than Preventing It


This is a blog post by John Pescatore, July 24, 2009, and still as valid today as it was then.

"A few years ago Avivah Litan and I wrote a Gartner Research Note called “Data Protection is Less Costly Than Data Breaches.” We estimated the hard costs of large security incidents that resulted in exposure of customer data (more than 100,000 accounts) had hard costs on the order of $100US/account, while small ones (under 5,000) could run as high as $1,000/account. We will be updating that note, but in general the cost of dealing with disclosure events have gone up since then, not down.


"In the news today, HSBC was fined $5.3M US by the UK’s Financial Services Authority for the loss of unencrypted CDs that contained on the order of 180,000 customer records. That’s just the fine, that doesn’t include the costs of dealing with the incident. In this case the fine alone works out to about $29/account compromised and you have to add our estimated $100/account to reach more like a $20M hard (doesn’t include market cap hit or loss of business) cost for this HSBC incident.


"The hard costs of preventing this one were quite a bit less than the hard cost of the incident, which is very often the case. The same has been true of most denial of service attacks and most web site compromises. Unfortunately, the cost of overcoming inertia is huuuge – it takes one of these incidents to move the immovable object. So, make sure you are taking advantage of HSBC’s publicized ill fortune! Here is the original post.



Click here

Topics: Cybercrime



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews