Business executives know that their organizations need to invest in cybersecurity, but it is notoriously difficult to estimate the cost of failure. Companies hold different amounts and types of data and are beholden to different regulations; hackers can have varying degrees of success. Consequently, it is difficult for companies to put a dollar amount on what a data breach would cost. Instead, we rely on the evidence we have from companies that have suffered data breaches. In this installment of CIO Corner, we will look at new data points indicating the cost of a data breach.
Three years after a data breach that exposed 56 million customer credit cards, Home Depot is still determining the final cost. Just this week, the company settled to pay $25 million to financial institutions affected by the breach, bringing the total price tag to $179 million. The prolonged nature of the resolution serves as a warning to other companies that the fallout of a data breach can persist for years after the event.
Home Depot to Pay Banks $25 Million for 2014 Breach https://t.co/Ze7Rvtj0cN
— Sandy Fliderman (@fliderman) March 14, 2017
The $179 million Home Depot paid in settlements does not tell the full story, however. Indirect costs like legal fees, remediation costs, and reputational damage can all contribute a data breach’s total adverse impact. Companies with particularly messy data breaches can even have trouble securing cyber insurance policies. It is also difficult to put a dollar value on certain types of data such as intellectual property. For example, Google is currently suing Uber following an incident in which a former Google employee allegedly stole sensitive corporate intellectual property and used the technology to design a competitive self-driving vehicle at Uber.
— David Chou (@dchou1107) March 14, 2017
Yahoo set a record when it was the victim of a cyber attack that exposed over one billion user accounts. As a result, Verizon reduced Yahoo’s acquisition price by $350 million, equal to almost ten percent of the total value and does not include ongoing costs tied to the breach. It is no coincidence that Yahoo is one of the early internet giants. Internet and specifically software companies are in the business of collecting data. They can easily scale to millions of users and in rare cases like Yahoo’s can reach a billion users.
Verizon sought $925 million discount for Yahoo merger, got $350 million https://t.co/H3jQrGHhh4
— David Chou (@dchou1107) March 14, 2017
The Internet 3.0 revolution is affecting companies far beyond Silicon Valley. Nearly every company is investing in digitization, which means developing digital streams of revenue. As more and more companies move into the software business through product development or acquisition, stockpiles of consumer data will start to pile up. Yahoo’s mega breach could be a harbinger of a new scale for data breaches.
The Industrial Revolution of Application Security https://t.co/Xg3qwzRg1w
— Scott Fenton (@sdfenton) March 15, 2017
Users online often do not realize what data they share or where it goes. A trusted website could collect data and then share that data with third-party services that have not been vetted for their cybersecurity capabilities. Digital data is the new currency, and regulatory authorities are working to create laws that adapt to current and future technology. Not surprisingly, early attempts at regulating consumer data in the United States have focused on the financial services industry. New York State released new regulations for financial firms, and regulators are currently debating how to adjust for the risk of digital data analysis. There is also a storm cloud looming on the horizon: the EU General Data Protection Regulation. The GDPR goes into effect in 2018 and aims to set the standard for privacy regulation in the digital age.
— Tim Grieveson (@timgrieveson) March 14, 2017
Building online businesses and interacting with consumers over the internet and on mobile devices inevitably means that enterprises will move data to the cloud. However, not every IT department starts with a skill-set and culture ready to adopt the new security model that cloud requires. Moving to the cloud means abandoning the enterprise perimeter model focused on prevention and adopting a security strategy based on protection – protecting data as it travels across applications, from the corporate network to employee mobile devices. Moving to the cloud can and usually is more secure than the alternative, but only if IT departments transform their security strategy as well.
— Tim Crawford (@tcrawford) March 15, 2017