Nigel Thorpe, technical director at SecureAge Technology, looks at the impact of a data breach and asks what is more damaging, the brunt on reputation or the financial cost?
The reputation of an organisation is closely linked to its financial value, which makes the distinction rather blurred. Modern accounting shows both tangible and intangible assets on the corporate balance sheet, yet according to Aon’s 2019 Global Risk Management Survey, intangible assets such as reputation and IP (Intellectual Property) rights are five times higher in value than the tangible.
So, when it comes to measuring the cost of a cyber breach, it can get complicated. What is more clear cut, is that whatever way you look at it, the fallout of a successful cyber attack can have severe consequences for the targeted business.
Analysts and commentators will often put a figure on the cost of a security breach. The main reason for this is that financial damage is predictable, measurable and also time-limited. For example, we know there are maximum fines that may be imposed for violating GDPR, therefore compensation can be estimated. But an organisation’s reputation is intangible and customers also remember poor performance and badly managed events for a very long time.
And it’s not just people that have long memories when it comes to mistakes. The internet and social media channels add up to an environment where even modest IT security lapses can have widespread consequences, so a major incident can cause far-reaching and even terminal damage to an organisation’s respect.
The Snowden snowball
Edward Snowden’s name still crops up even seven years after the US NSA (National Security Agency) scandal on Wikileaks. Data breaches like this are remembered and constantly revisited and can also lead to collateral damage. An example is Altegrity Risk International (ARI), which had to file for Chapter 11 bankruptcy after the US government terminated two major contracts with them following a ‘state-sponsored’ security intrusion. ARI had been given the responsibility for making the background checks on Snowden and so lost the trust of its customers.
Counting supply chains costs
The Shen Attack is a hypothetical scenario developed by the Cyber Risk Management project – a public-private initiative assessing cyber risks. It attempts to quantify the economic losses of a plausible major cyber attack on 15 ports across the Asia Pacific region. The ‘attack’ was launched via a computer virus carried by ships, which scrambles the cargo database records at the ports and leads to severe disruption. It estimated that an attack of this scale would cause losses of up to $110 billion across a wide range of business sectors globally, due to the interconnectivity of the maritime supply chain. In this case, it could be argued that financial loss is more damaging overall than reputational damage focused on the weakest links or the company at the top of the supply chain.
While both can have a devastating impact, both financial and reputational damage can be managed. Handled well, an organisation can limit damage, regain respect and rebuild its reputation. On the other hand, a poor data breach response can have long-lasting catastrophic implications.
Uber’s breach in 2016 was covered up for more than a year. The company also paid the hackers $100 million to delete the stolen data and more than a year after ‘fessing up’, they had to deal with global legal and regulatory actions. According to Varonis, Uber’s customers’ perception dipped 140% when the incident was disclosed – and negativity against the company went well beyond this.
It is variously reported that 70-80% of customers will stop engaging with a brand after a poorly managed data breach. PwC states that 87% of consumers say they will take their business elsewhere if they do not trust a company to handle their data responsibly.
On the other hand, coming clean can even boost an organisation’s reputation. Norsk Hydro demonstrated a prompt and open response to a devastating ransomware attack. With daily media posts, business partners were kept abreast, while the company made it clear they were not going to pay the ransom. At the same time, investors were frequently briefed about the total cost of the attack and the staff worked hard to meet their customers’ requirements despite the tricky working conditions. The result was an actual boost to the company’s reputation which helped to shore up its stock price and prevented speculators in financial markets from taking aim at it.
Learning from others
Perhaps the more important point is how IT security policy is directed, based on these experiences. If the risk of direct financial loss is the thinking that drives IT security policy, then the organisation is prone to ‘checkbox security’. In this case, doing the bare minimum can be considered good enough, and reliance is placed on the firm’s ability to react to security incidents as they arise.
However, if the organisation considers that the protection of their reputation is more important, then IT security is likely to be directed to take a more proactive stance, placing data security front and centre.
The equation is complicated, but if companies take a proactive, data-centric security approach where information is inherently protected at rest, in transit or in use – both risks can be mitigated. Traditionally we have tried to stop the ‘bad guys’ getting in rather than protect the data itself. But it we make sure that any data that gets into the wrong hands is rendered useless, there is no risk to reputation or ransom to pay.