By the end of 2015, the top 10 data breaches impacted over 160 million customer records and destroyed more than 3 trillion dollars of market value. Gone are the days when the responsibility and impact of security could be relegated deep within locked rooms filled with glowing computer screens. The consistent and silent failure of security technologies has placed us in a world where in order to change outcomes, security decisions must be central to business strategy.
Cyber security is among the most pressing challenges of our time. It’s time for a holistic approach that addresses the human factors, the brand and reputation risks, and the financial damage caused by these incidents.
There was a moment when companies believed their users were protected within a strong perimeter. That no longer exists. In a mobile-first, cloud-first world, employees work on corporate applications and access sensitive data from on-premises and cloud-based systems using every type of device. This is a business choice made to improve productivity and achieve efficiency.
While there is an immense opportunity for enterprises and individuals to derive personal and professional value from today’s connected technologies, the fact remains that humans enable 97 percent of breaches.
This is the human element that business leaders must grapple with. Those who have the authority and ability to take action must foresee the risks and challenges that the individuals pose while avoiding a reflexive reaction to hold the same individuals hostage to a host of ineffective educational programs, subtle and overt reprimands and limited capabilities.
If an organization fails to address cyber security as a business issue it is creating a disconnect that drives a lower rate of attack recognition, as evidenced by Verizon’s findings. The result is also collateral damage in the form of confusion and uncertainty rather than a unified understanding of how to approach cyber security response and preparation for the next attack.
If cyber security were simply an IT problem, implementing new layers of security would be enough to solve the problem. No form of data encryption, no firewall policy, no iron-spiked wall of cyber defense safeguards can account for the carefully orchestrated human cooperation that must take place to secure an organization.
Tangible Financial Damage
There are four ways data breaches impact an organization financially:
Companies must focus on the tangible costs they incur repairing damage from a breach. Target (News - Alert) spent $162 million between 2013 and 2014 to clean up the aftermath of its data breach. Additionally, companies often must pay fines to regulatory bodies. Cox Communications must pay $595,000 to The Federal Communications Commission (FCC (News - Alert)) in fines related to the cable provider’s data breach. Third, breached companies are often responsible for punitive or economic liability toward customers who suffer as a result of the breach. Experian, the entity responsible for the T-Mobile (News - Alert) data breach, offered customers two free years of its ProtectMyID service — typically a $15.95 monthly subscription. Finally, many companies’ market caps fall immediately after a cybersecurity breach. TalkTalk’s, the small telecom service provider, stock traded down 30 percent after news of their data breach broke.
Breaches Damage the Brand
In October this year it became public that hackers had stolen personal information from around 15 million T-Mobile customers over the course of two years. Since the breach T-Mobile’s CEO has issued an apology and the company has dedicated resources to developing breach-related FAQ and resources pages for customers. Three United States senators found the breach important enough they issued a letter to T-Mobile and Experian. The two companies are currently embroiled in a number of class-action lawsuits related to the breach.
Consumers surveyed revealed they would shop less frequently at a retailer after a data breach. Worse, 85 percent would tell others about their experience after a retailer’s data breach — a sign that brand image problems do not stop with those directly affected. Companies must climb a steep hill to repair their brand after cyberattacks jeopardize customer information. Enlisting IT to patch the cracks in the cyber defense wall may help ensure future breaches do not occur. But IT’s network patches will not repair consumer perception of the company in question.
The notion that cyber security is a business problem may only just be an annoying voice in the back of executives’ heads. For many it is still an issue to silo off into a dark corner, to sweep away under IT’s rug. But there is a human reason, a brand reason, a financial reason cyber security is and must continue to be a company-wide mandate, from the C-suite all the way down.
There will always be new threats and new attacks against businesses. Yet companies can take actions today to address security concerns and improve their security postures. These actions, when holistic in nature and led as central to the business, can protect the individual people, shore up company brand reputation and mitigate the resulting financial impact felt as the result of a cyberattack.