The Breach: What Does It Cost You?

2018 was littered with breaches and cybersecurity stories.  Expect more of those in 2019 because if there is a silver bullet that will solve all our cyber problems, I haven’t seen it yet.

For all the work that is being done surrounding cybersecurity, I wanted to start off 2019 with a piece that focuses directly on the individual, bearing in mind a simple question: What is the cost to you?

Costing can be a hard thing.  There are a bunch of reasons why.  For starters, there may be hidden costs that you may not find out until later in the game.  The unexpected ones that come after an unexpected thwack carry a special kind of pain.

There are also fluctuating costs that are out of your control and can easily change on a whim, throwing your cost structure from “out of whack” to “I’m going out of business” if mismanaged.

Timeliness also plays a role.  Depending where in your cash flow/payment cycle you are – doesn’t matter if it’s a paycheck, payroll, receivable, you name it – that timing could be the difference between weathering the storm and going bust.

So with all that in mind, particularly if you have been a victim of fraud or cyber theft, have you been able to calculate the real cost to you?  To calculate that cost, you need to take into account a whole series of factors that in the immediate aftermath may not be so evident, transparent, or easy to calculate.

I don’t mind saying this: I have been a victim of fraud.  Without getting into the nitty gritty, in each and every case, “the institution” was at fault.  It should be particularly embarrassing for “the institution” when I’m explaining to their help desk where they went wrong, tracking down individual transaction IDs that have a particular aroma to them.

It should be doubly embarrassing for “the institution” when their help desk people say, “Mr. Platsis, we’re learning more about this stuff from this one call from you then they teach us here!”  (This has happened on more than one occasion.)

After all the frustrations, after all the calls, after all the newly instituted security measures and watches, yes, I would get my money back (with the concept of “self-insurance” in mind, you didn’t actually think all those “fees” you pay go into customer service and user experience, did you?).

But there is something I didn’t get back: my time.  And I’m willing to bet a hard earned dollar, just like my time, your time is valuable to you.  I don’t care what your line of work is or how much you get paid: your time is money.

That’s a hidden cost when dealing with all these cyber messes and successful fraud attempts.  A big one.

My worst nightmare was a particularly bad one, as not only did the thieves manage to get my information, they managed to change my information.  Despite the late notice of funny activity (about 72 hours) I still went into high investigative gear to shut this down.

From “the institution” to the police to the credit bureaus, all were impressed – if not a bit shocked – that I was able to track down so much, so fast on my own.  That’s the benefit of being immersed in the subject matter and I truly feel sorry for people who get stuck with the “if you are a victim of cyber theft, please press 1 now” response.

Yes, everything was corrected – eventually – and no, the perpetrators were not caught despite the ample amount of clues I was able to give “the institution” and the police. But I was never compensated for my lost time, which was ample.

Sure, you’re going to tell me that there are services out there that will “watch out” for me, but even if something goes wrong, I still will have to take some of my valuable time – as would you – to fix whatever problem there is.

And as these cyber breaches continue to go bonkers, we are going to be wasting more and more of our valuable time fixing the messes.

Just do the math: whether you are making $15 an hour or billing $1,500 per hour, if it takes you one hour of your time to fix a screw up of this kind, it costs you a lot and NOBODY is compensating you for a screw up that may very well not be of your doing!

I don’t have the perfect answer to this problem.  I only have a partial one: do what you can do as an individual to minimize your risk profile, whether it is in your personal life or your work life.  That requires some education and behavioral change, because your time is money.

There is one more partial answer to this problem, surely one that will cause some consternation in some circles: the “data holders” need to feel some real liability.  That means they can’t offload costs to consumers in the forms of higher fees, nor can they be left to walk so easily.  We’ve been treating data as a cheap commodity for far too long.  It’s time we appreciate its value and how much a data breach really costs us.

Hope your 2019 is off to a great and prosperous start!

By George Platsis, SDI Cyber Risk Practice

January 8, 2019