Prioritizing Client-Side Website Security: Doing Nothing is the Most Expensive Choice

March 26th, 2020

security-global-network-picture-id1093539466

You know how valuable your website is to your business. However, you may be underestimating how devastating a website data breach could be to your company.

The consequences of a data breach are much more dire than you may believe. The fact is, it’s not as simple as paying a fine and moving on. There are a variety of metrics both short- and long-term that have to be considered, from fines, lost business and reputational damage to costs associated with rectifying the situation and resources needed to advise/help/notify customers. 

That’s why, when it comes to calculating return on investment for web security solutions, it pays to look beyond the price tag. 

Calculating Return on Investment

Tala recommends focusing on four main categories: data protection regulations (GDPR, CCPA, HIPAA, etc), risk mitigation, brand impact, and revenue protection.

First, determine how many visitors your websites receive and what the potential level of exposure would be in a data breach. Do customers make a significant volume of credit card transactions on your site?  What is the average value of a transaction? In terms of revenue loss, you might consider the losses associated with any downtime or customer experience impact that reduces the expected volume of purchase. 

Costs associated with GDPR or other regulations are significant; on their own, they can often cripple businesses, but also in play are revenue loss, brand damage, remediation, and blowback. Let’s put things into perspective: The Magecart attack on British Airways in 2018 resulted in stolen credit card data from 380,000 customers, the company’s stock price took a 4 per cent hit and they now face a record-breaking $230 million fine. Other similar breaches have resulted in costly GDPR fines: Marriott faced a $122 million fine and Google was forced to pay $56 million for breaches.

Many companies that have to comply with GDPR also fall under the jurisdiction of the California Consumer Privacy Act (CCPA). These regulatory fines may be the most calculable impacts of a breach but are just one of the costs that companies must worry about. 

To understand why the ROI of a security solution goes way beyond the risk of paying a GDPR or other regulatory fine, we’ll imagine a data breach scenario. 

The Cost of a Breach

The cost of a breach goes far beyond any potential fines. Yahoo announced an extensive data breach in the middle of its sale to Verizon, wiping $350m off the company’s price tag and eventually costing over $100m in settlement payments. Following the British Airways attack, more than $390 million was wiped off IAG’s market value.

Let’s consider exactly what happens when a breach occurs. In this example, the breach is similar to what happened to Ticketmaster in 2018, when a hack of a third-party support chat tool compromised the data of 40,000 customers. 

When Ticketmaster was notified of the potential breach, they hired investigators to dig into the issue. That was the first expense. It was discovered that the problem stemmed from a third-party chat agent vendor called Inbenta. 

Websites today usually rely on a variety of third-party elements, including ad networks, analytics or performance monitoring tools. These third-party tools are an increasingly popular target of cyberattacks. If your company, like Ticketmaster, discovered an issue with one of these vendors, you would have to evaluate whether it was better to replace the vendor, or if you could accept the risk of another attack. The evaluation itself has a cost. Finding another vendor has a cost. Regardless of what path you choose, without some compensating control that safeguards your web properties from the risks introduced by third-party and other JavaScript integrations you remain vulnerable to another breach. 

It doesn’t stop there. You must also notify your customers of the breach, which will cost you in terms of items like postage and staff hours to send email communications. You may have to offer credit monitoring to the customers whose information was breached. Fines can take months or even years to resolve; when the British Airways fine was finally announced, the stock took another significant hit.

Long-term Impacts 

The definition of insanity, as they say, is doing the same thing over and over and expecting a different result. If you don’t solve the issue that led to the attack, you’re effectively asking for it to happen again. Even if you replace the third-party vendor with a similar tool, the same type of hack could happen to the new vendor. You’re going to have to invest in controlling this website supply chain

There’s an opportunity cost involved in ramping up your security in this way. Monitoring your website and third-party applications takes time and resources away from more strategic initiatives. It may be a better investment to implement tools that prevent this kind of attack and make your security team’s job easier. Choosing the right solution is important. Doing nothing is likely the most expensive choice you can make.

Understanding the cost considerations can help you understand the drivers that necessitate consideration for safeguarding your website.  Standards-based security solutions that include CSP, SRI and HSTS offer significant promise and enable you to leverage browser-native controls to protect your users from client-side attacks. These security policies can help protect the web application as it executes on client devices. In a future blog, we’ll talk about the specific return on investment from adopting a comprehensive, standards-based security solution. 

 

Deepika Gajaria, Senior Director, Product Management

Written by Deepika Gajaria, Senior Director, Product Management

Senior Director Product Management