It’s only a matter of time. And it may be days, weeks or even months before the intruder is even discovered, giving him/her plenty of time to gather massive amounts of data. One of the latest victims of a breach was U.S. fast food chain Sonic, which learned of the breach after discovering what they described as a “fire sale” of millions of stolen credit and debit card numbers on the Dark Web.
The consumer is the biggest loser
Who really suffers when a breach happens? First and foremost, the customer. Hackers can use a small bit of information, such as an address, to string together a full profile and in no time, they’re opening a credit card in the victim’s name. Make no mistake, the customer is the real victim, and having personal information stolen can cause years and years of financial distress and agony for the victim.
Through the eyes of the breached company
That being said, I want to take a closer look from the perspective of a breached company. The negative impact can spread like wildfire. Here’s a list of possibilities off the top of my head.
- Increased spending to improve security
- Lost sales
- Lost customer base
- Dramatic stock decline
- Financial loss from fines
- Financial loss for retributions
- Financial loss from lawsuits and legal fees
Little is more detrimental to a company than the loss of reputation. An interesting study, The Ponemon Data Breach: Business & Financial Impact Report, collected information from three diverse groups; U.S. Marketers, IT Practitioners and Consumers. All three groups were asked to weigh in on how a company’s reputation and share value can be affected by a data breach. Of chief marketing officers (CMOs) interviewed, 71% believed the biggest cost of a security incident is the loss of reputation and brand value (49% of IT managers said the same). And on the consumer side, 65% of those surveyed said they lost trust in an organization following a data breach and 31% said they discontinued the relationship with the organization.
Small to medium size companies and the hard recovery
It is interesting to me how larger, well-known brands seam to fare better than smaller businesses. According to the 2017 Verizon Data Breach Investigations Report, 61% of victims in this year’s assessment were small to medium size business of less than 1,000 employees. Although most of the news centers around massive company hacks such as Target and Home Depot, it’s really smaller businesses that seem to suffer the worst. One breach could financially bankrupt a small business, where a larger TJX or eBay can survive.
Stock price after a breach
Another interesting point is a consistent drop in stock price after a breach. Ponemon found breached companies face on average a 5% drop in stock price, but how quickly the stock recovers depends on how the company’s security posture (overall security approach/plan). Companies with better security postures saw stocks price quickly rebound, often within a week. Those with inferior security postures saw stocks take up to 90 days to recover.
Historically we’ve seen the big, established firms withstand the stock downfall, pay the fees and fines and come out fine on the other side. Companies such as Adobe, Target, eBay, and Home Depot all faced short-term dips in stock price following their breaches, but recovered. For example, the September, 2014 Home Depot breach cost the company around $62 million, but only resulted in a two week drop in stock price. By the end of 2014, the company had quickly bounced back with a 20% increase in earnings for the year.
Put the cause before the breach
So that was an interesting look at breaches from the company perspective. It’s worth noting that hackers are getting smarter, faster, and craftier every day. It’s also important to note the major culprit that allows hackers such success is the rusty, outdated, insecure password. Yes, the password. Going back to the Verizon Data Breach Investigation Report,
80% of hacking-related breaches leveraged either stolen passwords and/or weak or guessable passwords.
So stay safe out there and remember to use multi-factor authentication.