Page 35 - CITP Review
P. 35
Miscellaneous errors. Incidents in which unintentional actions directly compromise an attribute of a
security asset. This could refer to the delivery of information, in electronic or paper format, that was
sent to an unintended recipient.
Point of sale (POS). Remote attacks against the equipment used in retail credit card transactions.
POS terminals and POS controllers are the targeted assets. Use of stolen credentials to access POS
environments continues to rise and is almost double that of brute force for hacking actions.
Payment card skimmers. A skimming device is physically implanted on an asset that reads magnetic
stripe data from a payment card (e.g., ATMs, gas pumps, POS terminals, etc.)
Physical theft and loss. Any incident in which an information asset was either misplaced or illegally
obtained.
Crimeware. Any computer program or programs designed for the sole purpose of aiding illegal
activity online.
Organizational impact of a data breach and post breach response
Organizations suffer significant financial costs as a result of a data breach. Four process-related
activities drive a range of expenditures associated with an organization’s data breach detection,
escalation, notification, and activities conducted following a data breach. The following costs are
30
associated with an organization’s detection and response to a data breach:
Detection and escalation. Processes and activities that allow an organization to detect and report a
data breach to appropriate personnel within a specified time period. Examples of these costs include
forensic and investigative activities; assessment and audit services; crisis team management; and
communications to executive management and board of directors.
Post data breach response. Processes set up to help those affected by a data breach to
communicate with the organization, as well as any associated redress and reparation costs.
Examples of these costs include help desk activities and inbound communications; credit report
monitoring and identity protection services; issuing new accounts or credit cards; legal expenditures;
product discounts; and regulatory interventions (fines).
Notification costs. Activities undertaken by the organization to notify individuals whose data was
compromised in the breach (data subjects), usually in the form of communications. Examples of
these costs include emails, letters, outbound telephone calls, or general notice that personal
information was lost or stolen; communication with regulators; and determination of all regulatory
requirements and engagement of outside experts.
Lost business cost. The cost of business lost due to a breach, including customer loss, business
disruption, and system downtime. Examples of these costs include cost of business disruption and
revenue losses from system downtime; cost of lost customers and acquiring new customers; and
reputation losses and diminished goodwill.
31
More factors in the overall financial cost of a data breach include the following:
Unexpected loss of customers. Programs that preserve customer trust and loyalty in advance of a
breach will help reduce the degree of abnormal churn, especially those directed or overseen by a
manager at a high level. Organizations that offer victims of data breach identity protection in the
aftermath are also more successful in reducing churn. Reducing churn reduces the cost of the
breach.
30
See www.ibm.com/security/data-breach, last accessed August 19, 2019.
31 See footnote 30.
© 2019 Association of International Certified Professional Accountants. All rights reserved. 1-27