Big Business Breaches: More Than a Dent on the Bottom Line
Much more so than smaller companies, large global enterprises are likely to have the financial resources to recover from a data breach.
However, while enterprises might have the means to pay for the dent a breach puts on their bottom line, there are other important considerations that can result from security attacks: rising insurance premiums, damage to third parties, and sinking customer goodwill and trust.
All of the recent major data breaches, against companies such as Target, Sony Pictures Entertainment, JPMorgan Chase, Home Depot and Anthem, drew lots of attention in the news. That’s the kind of publicity companies can do without, and it gets customers and business partners questioning how safe it is to do business with organizations.
As Forrester notes in its report, “Understand The Business Impact And Cost Of A Breach,” released in January 2015 “after a breach, there will be many costs associated with winning back customers and rebuilding customer loyalty, all of which can vary widely depending on your business and industry.”
Typically, banks and hospitals are affected the least here, Forrester says, since consumers are averse to the hassle of changing from one bank or hospital to another. “Retailers, restaurants and hotels may see greater fluctuations as consumers can more easily take their business elsewhere,” the Forrester report says. “B2B companies can face brand costs in the form of delayed contract agreements and lost business as well. Most organizations have a good idea of how much it costs, on average, to acquire a new customer as well as average spending per customer and can thus extrapolate the total recovery costs and lost revenue.”
Easy and difficult costs to calculate
There’s no doubt that security breaches are costly to enterprises in a number of ways. The 10th annual Cost of Data Breach Study conducted by Ponemon Institute and sponsored by IMB found that the average consolidated total cost of a data breach in 2014 was $3.8 million, representing a 23% increase compared with 2013.
The study reported that the cost incurred for each lost or stolen record containing sensitive and confidential information increased 6%, from a consolidated average of $145 to $154. To gather the data, Ponemon Institute researchers conducted more than 1,500 interviews with IT, compliance and information security practitioners representing 350 organizations in 11 countries.
Calculating the true costs of a data breach to an organization can be difficult, because there are so many areas of business operations that can feel the impact. On the one hand, there are fairly easy costs to quantify such as direct financial losses due to the breach, regulatory fines, claims settlements and increases in insurance premiums. On the other, there are costs that are more difficult to measure, such as systems downtime, damage to brand and reputation, and loss of competitive advantage.
Security weaknesses to weigh
Enterprises need to take proactive steps to protect themselves against breaches, and have the resources in place to quickly minimize the damage if a breach takes place. One of the first things companies should do if they haven’t already is conduct a thorough assessment of their security programs, including the technologies, policies and procedures in place.
This might sound obvious enough. But what if enterprises don’t review and update their organization-wide information security on a regular basis? With threats becoming ever more sophisticated, security programs need to keep constantly evolving.
3 strategies to put in place
In addition to conducting an assessment and deploying any needed improvements, enterprises should keep in mind these steps to keep breach-related costs as low as possible:
Be open and responsive to customers and employees. When a data breach occurs — following the initial efforts to contain the damage, contact enforcement authorities, etc. — make a clear and honest statement to the public about exactly what happened and what’s being done about it. Make sure that the details are accurate and up to date, and be explicit about what individuals who might have been affected need to do. Offer any possible assistance, such as help with clearing up credit card issues.
Leverage threat intelligence. This is the age of sharing information, even information about security threats and vulnerabilities. There are plenty of threat intelligence services available, either as part of security technology offerings or independent services. Enterprises, especially those likely to be targets for attack, should be leveraging these resources on an ongoing basis. This is especially true given the rapid rate of change in the security threat landscape.
Focus on the new areas. Corporate IT is not what it was even two or three years ago. Today, data is highly likely to be residing in the cloud, and employees are likely to be using multiple devices on the job and sharing information on social media. Ensure that security efforts include provisions for data protection in the cloud and on mobile devices.