The Hidden Costs of an Information Security Breach
- Sep 14, 2014
- Guest Author
No industry is immune to IT security breaches and it seems that retailers have been in the spotlight of late. Home Depot is the latest company to confirm a cyber-attack. For large publicly traded companies, the impact of a breach is measured by decreased sales revenue, lower stock prices, expenses associated with the breach, and departures of top executives. What are the ramifications for smaller companies?
In a prior post titled, “Credibility and Reputation – New Target for Cyber-Attacks” I discussed how companies can deal with the issue of reputational risk. From a financial perspective, the costs can be quite significant. In the case of Target, the discounter recorded $146 million in expenses related to the breach in which data for 40 million accounts were stolen. However, for a company the size of Target, as reported by Paula Rosenblum in a Forbes article, those costs represent just 0.2% of sales.
With the disclosure and prevalence of breaches being reported in the press, I wonder if customers are becoming immune to the news of yet another cyber-attack targeting payment systems? Target had about 80 lawsuits filed by consumers. Based on the reported scope of the Home Depot breach, there may be a commensurate number of lawsuits. It will be interesting to see if courts decide whether the retailer was vigilant enough in protecting against known security vulnerabilities and allowing a significant breach to go on for multiple months undetected.
Another item that is getting more attention is state legislation regarding disclosure of information security breaches. In general, most state laws follow the tenet that companies must immediately disclose a data breach to impacted customers, usually in writing. This is true even when the disclosure was accidental and in situations where the data itself was not the primary target.
A lot. SMBs face many of the same challenges as their larger counterparts. Target’s system was attacked through a smaller partner company (an HVAC contractor), whose connections to Target’s computer systems were used to upload malware. Cyber-attackers realize that smaller companies can sometimes be easier to penetrate due to less sophisticated and immature security approaches.
The good news is that there are cost-effective ways for smaller companies to take some preventative measures. It starts with an introduction to vulnerability management.