When tallying up the costs of a data breach, it is easy to focus on the bills that have to be paid. There are significant, tangible expenses: credit cards that need to be re-issued, special PR projects that need to be implemented and the cost of specialized forensic consultants – the list goes on. But, are these the only costs that impact the business?
The short answer is no, and here’s why.
Some of the most important costs of a data breach don’t easily show up on bills. Significant intangible costs accompany any data breach event, including strategic opportunity costs, reputational damage, loyalty costs, lost customers and the loss of institutional momentum.
Take Target, for example. Looking only at the tangible costs, the retail chain incurred approximately $250 million directly. Cyber insurance covered nearly 40 percent of these fees, which could all be attributed to the costs of services and goods immediately needed post-breach. But, Target’s reputation suffered mightily as a result of the breach – sales were down, loyal Target customers shifted their allegiances to competitors, and not surprisingly, the stock price fell dramatically.
Even beyond these significant, “in-market” issues, Target had more to pay following the breach. After the cyberattack, the retail chain announced that it would be replacing its CIO and then, just a short time later, the CEO resigned.
In short, as a result of this data breach, Target – one of the most successful, well-run retail organizations – found that its best path forward involved a change in executive leadership. There is hardly anything more costly to a company than changing executives. Generally, a new CEO begins a multi-year process of organizational and strategic change.
The True Costs of a Breach are Incalculable :
There is no easy way to put a total price tag on what the breach cost Target. Lost customers are not easily reacquired, and skittish shareholders quickly find new investments to hold. When coupled with internal costs that the senior leadership changes will necessitate, the total costs are staggering. Eventually, the new leadership team should help Target move forward and regain some of the market position that it has lost – and recently, almost two years after the breach was announced, Target has shown signs of recovery. But, there is no doubt that the company spent a lot of time stopped dead in the water.
After a Breach, Everything is on Hold :
It is not an exaggeration to say that the recovery process from a major data breach consumes 100 percent of the organization’s focus for many weeks – or even months. The company is seemingly plunged into survival mode – product launches are delayed, new market initiatives are put on hold, PR efforts are diverted, and IT initiatives are halted. And, more often than not, all teams are required to abandon their usual day-to-day activities to concentrate efforts on event containment, analysis and short-term recovery.
Some companies will have a disaster recovery plan, carefully created by a cross-departmental team, to use as a blueprint for their actions. But, many companies will make it up as they go along, often times being forced to hire externally, including communications, image and executive consultants to lead them through the tumultuous days.
Recoup Customer Loyalty and Trust :
Customer loyalty and trust is potentially the most harmful hidden cost of a data breach. Since breaches often result in some customers’ personal information being stolen, ALL customers have to deal with the increased possibility that they will be victims of identity theft. And, no matter how the breach occurred, customers are likely to blame the brand for putting them at risk. This, in turn, leads to an immense lack of trust. Sadly, many once-loyal customers will seek out competitors’ services instead. All corporate leaders know that the cost of acquiring new customers is far higher than the cost of keeping current ones. Following a breach, many customers consider alternative options to serve their business, and once they have moved away, they don’t often return.
The Breach Is Just the Beginning :
Think back to the Anthem Health Insurance attack. Information was stolen from nearly 80 million people who were, at some point, affiliated with the company. Overnight these 80 million individuals (and EVERY OTHER ANTHEM SUBSCRIBER) became easy targets for a raft of cyber criminals. Suddenly their inboxes were bombarded them with phishing emails, all claiming to be from Anthem, another healthcare provider, or even a credit bureau, reminding them of their exposure to identify theft or account compromise. Sample emails might say, “Click here to update your billing information.” But, these email are not what they seem – they are phishing emails, secondary attacks from another wave of cybercriminals looking to cash in on the misfortune of the breached company’s employees and customers.
Following a breach event, companies must take responsibility to step up their monitoring for cyberattacks of all kinds, including phishing schemes, domain impersonations, social media scams and executive masquerading. Without full-scale cyber and social threat monitoring, companies are essentially leaving their people to fend for themselves, despite publicly saying they are doing everything they can – all to protect their brand.
Just as a home with an alarm company decal in the window is a less desirable target to a would-be thief, a potential attacker will be discouraged by brands that publically demonstrate their determination to stop secondary attacks by aggressively monitoring for cyber threats.
A Proactive Approach to Cybersecurity :
Cybercriminals aren’t going anywhere, so businesses must do everything in their power to prepare for incoming attacks, rather than planning while in the crossfire. The true cost of a data breach goes much deeper than dollar signs, as cyber insurance can only help so much. It’s a lengthy rebuilding and recovery process – and that’s all time your businesses cannot get back.
In today’s digital world, it’s never ideal to play defense when it comes to cybersecurity. The choice is yours to be a business that plays offense to dodge the true hidden costs of time, budget and customers you may lose after a data breach.[su_box title=”About Greg Mancusi-Ungaro” style=”noise” box_color=”#336588″]
Greg Mancusi-Ungaro is responsible for developing and executing the BrandProtect market, marketing, and go to market strategy. A passionate evangelist for emerging technologies, business practices, and customer-centricity, Greg has been leading and advising world-class marketing initiatives, teams and organizations for more than twenty-five years. Prior to joining BrandProtect, Greg served in marketing leadership roles at ActiveRisk, Savi Technologies, Sepaton, Deltek, Novell, and Ximian, building breakthrough products and accelerating business growth. He is a co-founder of the openSUSE project, one of the world’s leading open source initiatives.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.