The real cost of the SecurID data breach at RSA Security earlier this year has been confirmed as costing the firm around $66 million in direct and attributable costs.
But the reality is that the data breach has probably cost users of SecurID even more when it comes to time and resources spent ordering and reissuing new hardware tokens for business users.
And whilst some estimates have assessed the corporate costs at around $100 per user to replace their SecurID tokens following the data breach fiasco, the reality is that the real costs – to both EMC and its clients – are likely to be much higher.
As well as the difficult-to-quantify indirect costs, there is also the issue that many organisations will have had to beef up their security in other areas, as the trustworthiness of the securID system will have – quite understandably – taken a hit in many businesses.
I’ve observed this trend when talking to potential new customers, who have woken up to the fact that they are now having to factor in the previously unplanned-for costs of redeploying new hardware tokens amongst their workforce, many of whom are scattered across a wide area.
Had the organisations used a software-based token system – or a tokenless authentication system that makes use of a mobile phone as an authentication vehicle – then the redeployment of replacement tokens would have been far less, and would take a lot less time.
As the Washington Post quotes EMC’s executive vice president as saying, the $66 million price tag on the data breach included the cost of investigating the attack, as well as hardening its systems and working with customers to remediate the problem.
And it is clear that the costs of remediating the security systems failure at EMC/RSA Security will have cost the firm’s clients a vast amount of money to remediate, as well as develop workarounds for the compromised hardware token system.
Reports vary on the number of SecurID tokens in active usage, but some estimates come in at around the 40 million mark, so assuming a remediation cost of $100 per token, that means that RSA Security’s customers will have spent $4 billion in solving the company’s security failings.
This is a lot of money and, as well as questioning why their IT departments are continuing to use a hardware system that could be compromised once again, client organisations should also be looking at alternative options that can save them money in the shorter, as well as longer term.
Hardware tokens are clearly a secure method of authenticating a user when accessing an IT system remotely, but if the underlying resource for that security is compromised, the fall-out can be significant. Companies should be looking for alternative solutions that do not rely on manufactures storing token seed record information.