Now that major data breaches have become so commonplace, there is a growing perception that they are inevitable costs of doing business and resulting costs need to be paid, with the fallout contained as quickly as possible—and move on.
Data breach malaise has set in, and some of the public outrage and concern seems to be attenuated. “It will be news when there’s a day a new data breach isn’t discovered,” quipped one journalist.
Despite the large costs involved, several pundits have postured that the resulting data breach costs large enterprises face are a drop in the bucket compared to revenues and profits they take in. A recent announcement of an additional cost of $19.5M to the previous costs of $152M for the Home Depot data breach, might be seen as small as compared to the $21B in revenue they took in last quarter or the $88.5B for fiscal 2015.
Obviously a smaller company might be devastated by the costs of liability, investigation and clean up. The more than $171M that Home Depot has had to allocate—even after a big payout from its cyber insurance policy—for a single breach is a monstrous number, and could easily wipe out smaller enterprises.
The real costs of a data breach are varied. One particular ramification is the impact on customer retention. This was especially well exemplified by the disaster at TalkTalk, where they recently disclosed that its profits were half the amount they were for 2015, in part because of the breach.
The impact of a data breach on brand, reputation and customer loyalty may range from a temporary business set-back to completely putting a company out of business. In particularly competitive markets, why deal with a company known to have lost customer details when you could easily choose a similar vendor without the black mark of a data breach? A 2015 Deloitte survey showed that 73% of consumers would “think twice about using companies that failed to keep their data safe.”
Stock price, and the associated market capitalization, is another area of potential impact. Several reports, including one from KPMG in mid-2015, assert that investors and investment firms will tend to back away from companies that have suffered a breach. Perhaps some of the investor fear comes from the threat of a secondary or subsequent breach due to credential theft or other information that a cybercriminal may have secretly acquired in the first attack. Fear could also involve longer term effects on the company’s business.
There are other things to worry about besides data theft. Other dangers that pose far greater threats to the viability of a business. Some of these include:
- Intellectual Property Theft - There is burgeoning world commerce based on stolen or copied intellectual property, ranging from defense equipment to computer software or communications equipment and drug designs.
- Theft of Other Company Secrets - While not technically IP, law firms are entrusted with a wealth of secrets and confidential information from their clients. Loss of this information would not just precipitate large-scale damage claims and settlements, but it would threaten the very business of the firm. Who would want to trust a law firm that has proven itself incapable of protecting the confidential information of its clients?
- Data and Code Sabotage - An even more insidious IP threat is looming. Instead of the outright theft of trade secrets, cybercriminals can potentially access a software-based product and create a backdoor or ticking time bomb that they can use for extortion or theft that is orders of magnitude greater than identity details. Criminals can also manipulate data or settings in applications. Back in 2004, Microsoft Windows 2000 source code was obtained from a Microsoft partner and leaked out broadly. The scenario could have turned out differently, where a cybercriminal could have secretly gained direct access to the source code and modified it. In 2014 string of compromises of European financial institutions enabled cyber attackers to implant code they later used to steal 100’s of millions of dollars from banks and ATM’s.
- Life and Limb - An extreme form of sabotage could actually directly imperil life or limb. Already fears have been raised about the vulnerability of medical devices. Cybercriminals could potentially penetrate hospital networks and establish a secret control point to commandeer important medical equipment unless extortion payment is made. Similarly, the networks of an infrastructure management company, such as operators of a dam or power plant, could be penetrated and extorted for payment.
The impact of a data breach today where personal information is stolen may not be calamitous for a large company, but it does not mean that one can breathe easy. New criminal activities are looming that would produce a far greater impact on a company’s business. Small and medium enterprises could be wiped out by the theft of personally identifiable information today, and certainly could not stand up to the greater threats.
Enterprises of all sizes need to be mindful of the alarm that has sounded. It’s time to wake up and consider a new approach to protecting businesses from cyber-attacks.