The term “Go Big or Go Home” was first used by an exhaust system manufacturer in the ‘90s named Porker Pipes who primarily sold to Harley Davidson Motorcycles. The term has been reused, rehashed, and repurposed over and over in the subsequent 20+ years by just about everyone. However, hackers have taken this motto to heart more than anyone else.
The chart on the right represents the world’s biggest data breaches larger than 30,000 records caused by hackers during the past 7 years, 2011 through 20171. Every year certainly has its fair share of breaches and some large ones to boot. It’s the frequency, size, quantity, and acceleration of the attacks that’s generated increased concern.
Go Big is exactly what hackers have done, and with credit card data being worth between $10 and $45 per card on the black market, it is easy to see why. Millions of credit cards stolen from online and brick and mortar retailers can fetch high bounties for hackers.
Credit cards are only one prize for hackers. Personal information that allows them to perform identity theft is worth even more. This can allow malicious individuals to open loans, credit cards, and much more. Corporate credentials and bank information is worth even more as it can lead to the ACH or wire transfer of millions of dollars. Losses incurred by companies such as Equifax, with lost personal and social security numbers of millions can’t even be measured.
Impacts and Costs of a Data Breach
It is difficult to quantify what a breach would cost an organization like yours as there are so many ways in which a breach negatively impacts a company. Impacts of an information security breach can be grouped into the following categories:
- Direct costs
- Revenue loss
- Business disruption
Direct Costs and Forensic Investigations
While notification that your systems have been breached will likely come as a shock to you, in reality, the hackers have likely been in your systems for months or maybe years. Cisco reports that on average it is 205 days from the earliest evidence of compromise to the discovery of compromise. Plus, organizations discover breaches themselves only 31% of the time, while others notify them 69% of the time. As such, the amount of effort (and therefore expense) it takes to analyze all the systems and eradicate the hackers is substantial. For small incidents, this could cost in the tens of thousands of dollars. For larger organizations or where the perpetrators have been in systems for a long period of time, this can cost millions. Thankfully this is one of the areas that can be offset through insurance (minus the deductible) if the organization has purchased data breach insurance.
The cost of the Target breach in 2014 keeps on climbing. According to the firm’s latest earnings report, the net expense of the breach stands at $162 million. The actual total has now reached a gross expense of $191 million. That amount was offset by a $46 million insurance in 2014.4
Credit Monitoring Services
Most organizations that experience a breach offer one year credit monitoring services to affected customers. Retail rates on these services can cost between $10 and $30 per month for each customer.
Lawsuits
It doesn’t take long after a breach occurs to have the lawsuits being filed. Most large breaches have class-action lawsuits that not only cost organizations tens of millions of dollars but draw out the impact of the breach over years. Attorney fees and the ultimate settlements can materially impact some businesses. Many hacked businesses continue to feel the impact from breaches for years to come with prolonged litigation in federal court.
Fines
Breaches that happen to organizations that fall under compliance requirements, such as retail companies, will likely be required to pay fines even if they had reported 100% compliance prior to the breach. Fines can range from $50 to $90 per cardholder data compromised.2
Additional Security and Personnel
Organizations that experience a breach are usually directed, compelled, or required to increase their security and compliance stance which always leads to additional cost for tools, solutions, service providers, and staff to help reduce the risk of a future breach.
Insurance Premiums
For organizations that have experienced a breach, their premiums skyrocket or they lose their data breach insurance altogether. Organizations that get data breach insurance soon will likely experience very reasonable premiums. Those that wait will experience higher premiums after the insurance industry has experienced the impact of a few of these large-scale breaches and increase the premiums across the board. Lingering expenses serve as a warning to CEOs who are reluctant to make overdue security investments that are needed in today’s environment.
Revenue Loss and Brand Reputation
Loss of customer confidence is a very real thing. Most retail breaches do result in a sharp drop in customers and revenue. The publicity and nature of the breach will ultimately play a big part in how long that negative impact will last. As a result of the breach, which some called the “Nightmare before Christmas”, Target saw profits fall by nearly 50% in its fourth fiscal quarter of 2013.3
The company reputation can extend far beyond just the notion that they weren’t very diligent with their information security. The Sony breach for example resulted in the release of corporate emails with personal information about stars, corporate feuds, and much more that cast a very poor shadow on the corporation and their culture.
“Organizations need to be mindful of the reputation damages. What’s harder to measure is whether there are any lingering reputation damages due to consumers who still haven’t returned to Target for their shopping needs,” – Shirley Inscoe, Aite Group.4
Credit Card Use Suspension
While a rare punishment, credit card companies have the right to suspend your business from accepting credit cards. For most companies this would be a debilitating blow to revenue.
Business Disruption and Stock Price
While most organizations stock prices recover eventually, breaches almost always seem to create a sharp decline in the stock price. Target experienced a substantial drop in their stock from a $66.89 price just before the breach announcement to $56.33 in the first part of February, not even 3 months later.
Management Changes
It would seem that few board of directors are willing to let a data breach pass without making significant changes to the executive management team. CEOs and CIOs are usually let go or they resign. New positions are created.
Opportunity Costs
Breaches are so disruptive to a business, they create an “all hands on deck” and take up all of the oxygen in the organization for a significant period of time. The company strategy gets disrupted or put on hold. Investments the company was going to make do not get made. Pending acquisitions and mergers are put on hold or are reversed. These can have an enormous impact on a company and can be felt for years to come.
Opportunity costs can mean just about anything. Ask Sony after their breach that led to them not launching a movie in theatres and several other movies being posted to internet download sites prior to their release.
Calculating
There are several online calculators that exist including one found at: http://www.focusonpci.com/site/index.php/Penalties-Calculator.html to help you get a better idea of what an information security breach would cost your organization. It takes into account the state your company is incorporated in and includes discovery, notification, employee opportunity costs, customer opportunity costs, regulatory fines, civil restitutions, audit costs, and other liabilities. Many organizations have had their eyes opened to what a low and high estimate might be for their company.
Lessons Learned
The lessons learned by organizations that have lived through breaches could be a book by itself. All would tell you that if at all possible, avoid the breach in the first place. Yet many organizations don’t value information security at the level needed to avoid a breach. It is difficult to invest in something without knowing the true value it is bringing to the organization. In reality, all investment in information security, information risk management, etc. is one big insurance policy. Perhaps an investment decision you made two years ago has prevented a breach from occurring. Something you would never know. Or perhaps the lack of investment has led to a breach that you are not yet aware of. Remember that most breaches go unnoticed for months or years prior to discovery.
Compliance requirements are a way to set a minimum standard that everyone should abide by to protect data. If you do every single thing you should, you may still have a breach. However, abiding by the guidance, you can dramatically reduce the risk and exposure you have to a breach. Proper information security is about doing a thorough risk assessment:
- Identify gaps in personnel, policy, procedures and solutions
- Identify solutions to mitigate
- Prioritize the investment needed both in terms of time and money
- Execute a plan that gets you to a place where your risk is properly aligned to your business.
For most organizations, doing it alone becomes a daunting challenge. Third party providers are well suited for these organizations to get the most bang for their buck. These providers can deploy solutions that can help mitigate risk, keep you compliant, and dramatically reduce your exposure to a breach. Getting cost effective breach insurance is another “no brainer” that you hope you never need, but if you do, you will be glad you have it.
“Most importantly failing to invest in security is strategically myopic; without ensured stability, a business may as well be committing corporate suicide.” (Matthew Rosenquist, an information security strategist at Intel)5
CONCLUSION
The way people feel about a breach and an organization that has a breach can vary. On the one hand, some people say, “those darn hackers, they can get into just about anything they want”. The company is just the latest victim of bad guys doing bad things. On the other hand, they may blame the corporation for the breach and any negative impacts they personally experience. The major difference in these two sediments is the perception around how much care the company took to protect their data. If the feeling is that the company did everything that they could and the hackers still got in; the public largely forgives the company. If it is discovered that the company was negligent, didn’t follow best practices, wasn’t compliant, and didn’t invest properly in their information security program; the public will not be as forgiving.
Endnotes