uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites,’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.


The Hidden Costs of an Information Security Breach

No industry is immune to IT security breaches and it seems that retailers have been in the spotlight of late. Home Depot is the latest company to confirm a cyber-attack. For large publicly traded companies, the impact of a breach is measured by decreased sales revenue, lower stock prices, expenses associated with the breach, and departures of top executives. What are the ramifications for smaller companies?

In a prior post titled, “Credibility and Reputation – New Target for Cyber-Attacks” I discussed how companies can deal with the issue of reputational risk. From a financial perspective, the costs can be quite significant. In the case of Target, the discounter recorded $146 million in expenses related to the breach in which data for 40 million accounts were stolen. However, for a company the size of Target, as reported by Paula Rosenblum in a Forbes article, those costs represent just 0.2% of sales.

Are customers concerned?

With the disclosure and prevalence of breaches being reported in the press, I wonder if customers are becoming immune to the news of yet another cyber-attack targeting payment systems? Target had about 80 lawsuits filed by consumers. Based on the reported scope of the Home Depot breach, there may be a commensurate number of lawsuits. It will be interesting to see if courts decide whether the retailer was vigilant enough in protecting against known security vulnerabilities and allowing a significant breach to go on for multiple months undetected.

Disclosure of breaches?

Another item that is getting more attention is state legislation regarding disclosure of information security breaches. In general, most state laws follow the tenet that companies must immediately disclose a data breach to impacted customers, usually in writing. This is true even when the disclosure was accidental and in situations where the data itself was not the primary target.

What does this mean for small and medium-size businesses?

A lot. SMBs face many of the same challenges as their larger counterparts. Target’s system was attacked through a smaller partner company (an HVAC contractor), whose connections to Target’s computer systems were used to upload malware. Cyber-attackers realize that smaller companies can sometimes be easier to penetrate due to less sophisticated and immature security approaches.

The good news is that there are cost-effective ways for smaller companies to take some preventative measures. It starts with an introduction to vulnerability management.

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.