Preparation lowers long-term post-breach costs
Companies that had plans in place, that spent time identifying and classifying data, and that used in-house teams were able to lower their long term expenses -- as did companies that successfully stayed out of the news.
The majority of companies affected by a breach also invested in new security tools and services, as well as administrative and physical controls, training, and staffing.
Once a breach has been identified and mitigated, residual financial and brand impact lasted anywhere from a month to three years, according to the report.
During post-breach period, companies have to deal with the legal fall-out of the breach, spend money on additional controls, work with customers to repair damages, and try to restore the company's reputation and brand value.
For example, one company studied, an international retail firm, is still dealing with the effects of a breach that took place in 2010. The company had to redesign its call center operations and reduce staff, and this continues to affect call center metrics such as time on hold.
Companies can take several pro-active steps to reduce the long-term costs of a data breach, said senior SANS analyst Barbara Filkins.
These include conducting a thorough risk assessment and purchasing cyber insurance.
More specifically, she recommended identifying processes that handle sensitive data, locating where that data is stored, creating an access control system, identifying which data will be the costliest if breached and which data attackers are most likely to target, and using scenario-based analysis to create response plans.
Investing in technology or systems that shortens detection time will also have an impact, she said.
"It will help you shorten both the loss you're going to suffer and the duration of that loss," she said.
On the non-technical side, media attention also had an effect on the long-term cost of a breach.
"For the most part, when an organization is breached, the media is extremely helpful for the victims," said Todd Feinman, CEO at Identity Finder, which sponsored the report.
However, the media isn't necessarily helpful for the affected organization, and may publicize information that a company is not required legally to report that may still do damage to its reputation.
Overall, recovery costs are correlated with the size of the breach, said Filkins. But larger companies do tend to spend more, both because they typically have more data to lose, and because they are a higher-profile target for hackers.
However, there are several other factors that affect the long-term impact of a breach.
The root cause of a breach was a factor, since breaches caused by hacking, malware and unauthorized access tend to go unnoticed for a longer period of time -- and result in greater damage.
The type of data stolen also had an impact, since a wider variety of data means that organizations must comply with more sets of regulations.
In addition, health data was correlated with higher costs, since personal health information has a longer shelf life than, say, credit card numbers.