What is the real cost of a data breach?
You are no doubt familiar with many of the recent high profile data loss incidents reported in the media. The events seem to be getting so frequent that both consumers and the financial markets are becoming desensitised. The recent loss of the personal information of all ebay users resulted in a 4% drop in share price. However, the knee-jerk reaction by the market was short-lived and the share price quickly recovered. The widely reported loss of payment card details by US retailer Target saw a 3% dip in sales, however once again sales were back up to normal levels within a very short period of time. The limited reputational damage seems to demonstrate little or no consumer backlash following the incident.
On the surface the impact of such events on the business' bottom line look minimal. Many organisations are hesitant to share information on the real cost beyond what is absolutely necessary. We rarely get any insight into the what a data breach actually cost a business. Following the Target data breach we gained a deeper insight into this cost. Banks and credit unions collectively spent $200m in replacing the payment cards of all affected consumers.This figure did not include the additional cost of fraudulent transactions using compromised information. In addition the Target CEO resigned and a further $61m was spent on post-incident remediation activity within the organisation.
Not every business has such deep pockets. Many organisations faced with the same situation have gone under, and many more are likely to do so in the future unless they begin preparing for such an event. The Target example clearly demonstrates that the financial impact of a data breach spreads well beyond the confines of the business and resulted in significant cost to number of financial institutions. This is a factor rarely considered when quantifying the risk of a data beach.
Calculating the real cost of a data breach goes beyond the short-term financial and reputational cost or remediation activity. The long term effects of poor future financial results or loss of competitive advantage should also be evaluated. Businesses that have lost intellectual property may not realise the impact of a data breach until a competitor brings a product to market before them a number of years later, taking their market share.
Have you considered what a data breach would cost your business?
- Who else may be affected beyond the walls of your organisation?
- How would you quantify the impact?
- How would you prepare for a breach?
- Are you under attack right now and how do you detect it? How do I prevent it?
I will explore the answers to these questions and more in my series of blogs on the subject of data beaches. I would welcome comments and challenge to any of my assertions to make this a truly interactive and enriching experience.
I will leave you with one last thought.
“In 2013 the median number of days attackers were present on a victim network before they were discovered was 229 days” . . . “only 33% of organisations to which Mandiant responded had discovered the intrusion themselves”
Source: Mandiant M-Trends Threat Report 2014
Published: 3rd July 2014