How much will being hacked cost?

This week there have been two unlinked large stories about hacking in the news.

In the first case, we have heard that the Home Depot September data breach (just the 56 million credit card details) has cost Home Depot $43 MILLION SO FAR!

In the second case, we saw images of Sony Pictures machines with dire catastrophic warnings of data loss/publication if certain conditions were not met. News of this breach spread around the world like wildfire, reigniting the embers of Sony’s 2011 user details mishap.

The difference between these two uber-hacks? It is almost certain that the Sony one isn’t entirely true. Sure, there may have been some screenshots taken, the media fuelled the flames, but what really happened?

It seems that Sony took their own systems offline, then had to engage with the media and launched a full Security Incident Response Team investigation.   This essentially meant they ‘DDoSed’ themselves,  on top of the fact that they have sustained reputational damages of more than $43 million

The point here is that being properly hacked, almost being hacked or being a little bit hacked makes no difference to the public and/or shareholders without a solid quantifiable response, and will cost a fortune if mismanaged.

ITC believes that appropriate response and communications based on an understanding of the asset model, the reputational or actual risk and the scale and scope of the problem will become essential parts of business continuity planning in the future.

The forensic activity required to scope and investigate an attack needs to be predetermined with the location of logs and supporting data and also needs to be well known and understood, and above all tested against a number of scenarios, just like (yawn) DR tests.


ITC are building models to help our customers work through these scenarios.
If you would like us to discuss this with you, please contact us on: [email protected] or call 020 7517 3900