What is The True Cost of Rectifying a Security Flaw/Breach?

Security is an important foundational piece in a world where anytime anywhere access to services is fast becoming a pre-requisite.

However, today, there are many instances where security remains undervalued and this in part is driven by the difficulties in assessing the associated cost of a potential security flaw/breach.

How best to calculate the true cost of a security flaw/breach is one of those million-dollar questions and one which is extremely difficult to answer.  This is exacerbated by the fact that security attacks are extremely varied in nature as it pertains to the enterprise type and size affected, type of data compromised, which is mixed with other elements ranging from the cost of service downtime, and costs incurred by the impact on brand reputation.

All the above make the creation of a cost analysis extremely difficult, an area which needs some form of costing guideline, to use as a baseline to justify the required initial security investment and ongoing costs associated with the management and maintenance of the required security piece.

This foresight will shed some light on this million-dollar question and provide some clarity pertaining to the real term cost implications of addressing and resolving security flaws.

In November 2017, the Estonian government announced a security flaw had been discovered within a portion of its mandated national ID cards, which could potentially allow the misuse of citizen data, identity theft, and ultimately fraud.

Overall the Estonian government estimated that approximately 750,000 credentials were affected. As a result, the government froze the affected ID cards.  Later the government announced that all affected citizens would need to upload a new certificate, with a deadline for completion by March 2018.

The Estonian government has been open and honest about the security flaw discovery, very professional and swift in its response to rectify the situation, providing an ideal case study to help other public and private sector service providers understand the true value of security and real-time cost implications related to a vulnerability.

In March 2018, it was reported by Daily Postimees, a daily Estonian newspaper, that Estonia’s Information System Authority had requested a total of €1.115.616 from the Estonian government to recover the costs associated with the required development work and outsourcing of development to rectify the security loophole. These associated costs were needed to cover a significant information campaign to notify affected residents and provide citizen education on how to update their compromised credentials, to increase capacity across its information lines to ensure a speedy resolution and to cover the additional personal costs incurred during the resolution process.

The calculated cost of resolution (rectifying the security loophole) stands at approximately €1.48 per user.

In connection with the breach, the Police and Border Guard Board, the government authority that deals directly with the eID manufacturer, is also looking to acquire €20 million from the eID supplier. Although it remains unclear as to how the final figure was calculated, it is likely a compensation bucket from which to draw on to cover any future claims associated with service downtime and subsequent loss of revenues. Trusted third-party service providers were using the national ID credential to allow secure access to a variety of online services, including banking, and they would also have been directly affected during the resolution period.

The €20million figure can be used to start piecing together a cost analysis pertaining to any affected third parties and/or loss of revenues driven by service downtime, which would stand at approximately €26.66 per user.

The combined cost of the compromise, per user, stands as high as €28.14, but also demonstrates that the initial costs to rectify the security flaw pales in significance when compared to the potential costs associated with service downtime and lost business.

Firstly, nothing is 100% or perfectly secure, and Estonia’s eID vulnerability discovery is a clear testament to this fact, but it does demonstrate the importance of security and the potential cost implications. Estonia spotted and rectified its security loophole before any external damage could be done, but the resolution period resulted in significant disruption to citizens and service downtime. This presents the ability to use the Estonia case as a simulation of the potential impacts and effects if the system had actually been compromised.

Security is an extremely broad term, but lessons can be learned from the Estonian eID security flaw and the clear reporting of the resolution and costing involved to rectify the loophole. It is clear that it can help the entire industry begin to piece together the true value of security.

Although the Estonian example given concerns national ID (government and card centric), it can be reapplied to other use cases due to the many synergies between the security processes adopted in card centric applications. These can be reapplied to other settings including the IoT. Whether it’s an eID or an IoT device affected, there will be an element of device/credential to cloud connectivity, secure authentication, key management and the use of digital data. The IoT and the increasing volume of connected devices will ultimately translate into an increasing number of targets, which is why security is so important, and needs to be built and designed from the ground up as retrofitting after the fact is not suitable.

Security is invisible, working in the background and largely not questioned when it is working. However, daily compromising occurrences are regularly reported by the media, increasing awareness among end users. Security education is great for the wider market, as end users themselves are often at fault and may need to change habits. It also places further pressure and emphasis on security.

The overriding fact is the clear cost disparity between resolving and patching a security flaw, and service downtime, which includes the fixing of the security loophole. This is likely relatively inexpensive in comparison to the cost associated with lost service revenue, reduction in confidence and trust, and ultimately, the impact on a brand’s image.

And it is arguably here where the true value of security resides and a firm outline as to why security shouldn’t be undervalued. Security is not just required to protect against data compromise, theft or the misuse of data, but to also ensure continuous operation, service uptime and brand protection, which ultimately translates into continual trust and loyalty from a service user base. However, in order to ensure implementers draw the required value out of security strategies they need to be mindful and remember the following:

• Security is best implemented and backed into the design phase of any system/product and should not be a secondary retrofitted thought
• Nothing Should be considered 100% secure – what is considered highly secure today, might not be the case tomorrow.
• Silicon to cloud approaches are best to lock down the various intrusion points. This requires a dynamic and wide-ranging partnership ecosystem to enable and manage.
• Evaluation of security providers should be a consistent ensuring required security requirements are being met, after all security requirements of tomorrow may differ from today.
• There is no one size fits all approach – find experts in the security fields to which you require, e.g. authentication, lifecycle management, key management etc.
• Proven and established standards and specifications exist and should be leverage where applicable.
• Make use of hardware based security where possible. Most chipsets have some form of security function such as cryptographic capabilities, but the majority remain dormant – use what you already have at your disposal.

All the above factors are prime reasonings in why ABI Research believes that security is not only a necessary requirement but a differentiating factor, used as a trust anchor to ensure continual service access and uptime. In turn, this will lead to improved user trust and loyalty with security underpinning the relationship between service provider and user.