Reflecting on Research about Breach Recovery Costs

By Nick Molina, TierPoint IT Engineer

In the last few weeks, Kaspersky Lab generated a lot of attention from their study about the costs of a security breach, finding that it costs double to recover if virtual infrastructure is affected. You can read their report. Some of the resulting screaming headlines came across like an indictment of virtualization itself. It has moved me to chime in with a point that seems to be missing: It is largely not virtualization’s fault.

hackerYes, there are many factors that drive up breach recovery costs. One that has been overlooked in the Kaspersky report discussion is virtual machine (VM) sprawl. With VMs, it is easy to set them and forget them. They can live on even without patching or OS updates, whereas their physical counterparts more frequently tend to get decommissioned or upgraded over time. Malware loves these unpatched and neglected VMs because they provide an easier point of entry into your network and can lie in wait until they are ready to do the voodoo that they do.

Although a diligent IT team with some automation can limit sprawl, sprawl is a big problem that can substantially impact risks and recovery costs. When conducting an analysis like this, you cannot ignore people and processes as part of your evaluation.

Good Data Management and Breach Remediation Costs
Good data management practices beyond just buying security software mitigate many of the factors that drive up breach remediation costs. I am not saying full recovery is cheap and easy. I am saying trained IT staff and the right IT processes will reduce many costs and speed up recovery time. A broad brush statement that physical recovery costs half as much as recovery from virtual environments is highly misleading because there are so many it depends considerations.

The problem is that a lot of organizations, especially small ones, do not have the time or the expertise to do breach planning and prevention, including regular patch management, network segmentation and firewall optimization among other practices. And it is easy to see how the security market can be confusing. It is difficult to strike the right balance investing in security with the level of risks your company is willing to tolerate.

Businesses are recognizing how difficult recovery and security can be at the same time as high-profile breaches flood the media on a regular basis. It feels like we are getting past the notion of security as a sunken cost. This is why so many managed services providers, VARs and other solution provider are doing well. Failing to conduct proper breach and DR planning (which includes recovery) are what really drives up recovery costs.

So Now What
In the end, I think research like this is good to keep conversations going about the importance of good data governance and protection practices. Security attacks are increasingly automated and broadly targeted, so even if you think a breach won’t happen to you, eventually it probably will. An assume-breach posture is becoming an industry reality. Forget about just losing data for a second. What you do before a breach takes place could have a large impact on whether you can recover your business at all.

That is the lesson from the Kaspersky research in my opinion. Be proactive. Get good advice regardless of whether you maintain your information in your own data center or in a cloud/colocation solution. Decide whether it makes more sense to outsource some of these functions, especially something as simple as patch management. There is a good chance that your IT department is understaffed and overworked. If you cannot be diligent about details like managing updates or performing a VM review to determine what should be deleted, your jaw will drop when you see the breach recovery bill.

“How Companies Get Hacked”
If you are in the Seattle, WA market on Thursday November 5th, we’d like to invite you to a free seminar titled “How Companies Get Hacked (And What You Can Do About It)”. Complete details can be found here.