Page 35 - CITP Review
P. 35

  Miscellaneous errors. Incidents in which unintentional actions directly compromise an attribute of a
               security asset. This could refer to the delivery of information, in electronic or paper format, that was
               sent to an unintended recipient.
              Point of sale (POS). Remote attacks against the equipment used in retail credit card transactions.
               POS terminals and POS controllers are the targeted assets. Use of stolen credentials to access POS
               environments continues to rise and is almost double that of brute force for hacking actions.
              Payment card skimmers. A skimming device is physically implanted on an asset that reads magnetic
               stripe data from a payment card (e.g., ATMs, gas pumps, POS terminals, etc.)
              Physical theft and loss. Any incident in which an information asset was either misplaced or illegally
               obtained.
              Crimeware. Any computer program or programs designed for the sole purpose of aiding illegal
               activity online.


            Organizational impact of a data breach and post breach response
            Organizations suffer significant financial costs as a result of a data breach. Four process-related
            activities drive a range of expenditures associated with an organization’s data breach detection,
            escalation, notification, and activities conducted following a data breach. The following costs are
                                                                                    30
            associated with an organization’s detection and response to a data breach:

              Detection and escalation. Processes and activities that allow an organization to detect and report a
               data breach to appropriate personnel within a specified time period. Examples of these costs include
               forensic and investigative activities; assessment and audit services; crisis team management; and
               communications to executive management and board of directors.
              Post data breach response. Processes set up to help those affected by a data breach to
               communicate with the organization, as well as any associated redress and reparation costs.
               Examples of these costs include help desk activities and inbound communications; credit report
               monitoring and identity protection services; issuing new accounts or credit cards; legal expenditures;
               product discounts; and regulatory interventions (fines).
              Notification costs. Activities undertaken by the organization to notify individuals whose data was
               compromised in the breach (data subjects), usually in the form of communications. Examples of
               these costs include emails, letters, outbound telephone calls, or general notice that personal
               information was lost or stolen; communication with regulators; and determination of all regulatory
               requirements and engagement of outside experts.
              Lost business cost. The cost of business lost due to a breach, including customer loss, business
               disruption, and system downtime. Examples of these costs include cost of business disruption and
               revenue losses from system downtime; cost of lost customers and acquiring new customers; and
               reputation losses and diminished goodwill.

                                                                                       31
            More factors in the overall financial cost of a data breach include the following:
              Unexpected loss of customers. Programs that preserve customer trust and loyalty in advance of a
               breach will help reduce the degree of abnormal churn, especially those directed or overseen by a
               manager at a high level. Organizations that offer victims of data breach identity protection in the
               aftermath are also more successful in reducing churn. Reducing churn reduces the cost of the
               breach.


            30
              See www.ibm.com/security/data-breach, last accessed August 19, 2019.
            31  See footnote 30.


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-27
   30   31   32   33   34   35   36   37   38   39   40