Data Breaches Cost An Average Of $4m Per Incident

The Ponemon Institute has found that data breach costs are rising, now reaching $4m per incident, Daniel Miessler at IOActive commented below about the relationship between data breaches and reputation damage.

Daniel Miessler, Director of Advisory Services at IOActive:

“The relationship between data breach and reputation damage (and then to lost revenue) is not as straightforward as one might think. It seems intuitive that the correlation would be strong and direct—you get hacked and you lose stock price and/or revenue due to the damage suffered by your brand. The reality, however, is more complex, and there are a couple factors making this so:

#1 Everyone is getting breached. The more companies that get breached, the more inevitable it seems in the minds of customers and investors. The first few breaches look very bad because the assumption is everyone is secure, but as they continue to happen it starts to look like it’s simply an inherent part of business now—especially with advanced threat-actors like nation-states on the field.

#2 Because so many people are getting breached, the question is turning to how that incident is handled instead of whether or not it happened. Companies that sound transparent and contrite, while giving a clear assessment of what occurred and how it will be prevented next time often end up gaining trust from their customers. This is especially true the more #1 is true.

The worst kind of reputation damage comes not from incidents, but from the appearance of incompetence or negligence. These are the feelings in customers or investors that can truly harm a company’s value over time as it relates to data breach.  In short, breaches are not all the same, and therefore do not affect companies the same. And the difference is mostly about the response by the company and what that response says about the underlying health of their security.

If you hesitate and are defensive in your communication, and it’s clear that your security hygiene was not in order, that communicates incompetence in a way that people may worry could affect other parts of the organization. If, however, a company shows that they were relatively secure, detected the issue quickly, are very sorry it happened, and have adjusted quickly to make sure it doesn’t happen again while protecting anyone affected—they may turn the situation into a non-issue or even a positive.”