The cost of a data breach just went up
This is the third blog in a four-part series delving into information security concerns and what you can do to keep your organisation safe.
"The world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeroes, little bits of data. It's all just electrons." - Cosmo, Sneakers, 1992
We calculate the cost of a potential information security risk by multiplying the likelihood of an incident happening with the cost if it does. This process and the resulting figures keep the bean counters happy because they can throw the numbers into Excel and produce charts and graphs and presentations to explain why everybody's doing all the right things and we should all sleep easy at night. It's measurable, clinical, and predictable.
But how do we measure something as ephemeral as the likelihood of, say, someone's laptop being stolen? That'll depend on the person who's handling the laptop (I know some people who'd forget their left leg if it wasn't attached) and the skill of the person burgling their house (my grandfather had his trousers stolen from his bed while he was asleep). And how do we measure the cost of intangibles like customer loyalty and staff satisfaction?
A new report from FireEye is shaking up the accepted wisdom on the cost of a data breach, in particular the reputation and brand damage following a data breach. For background, a UK government report released on May 8 revealed that 65% of large UK companies had suffered a data breach in the past year, but only 4% of those companies believed that their company suffered reputational damage as a result.
Where the UK government report concentrated on the perceptions of businesses, the FireEye report asked consumers for their opinions (6500 people from 6 different countries). The results show that the business perception has no basis in reality. Here are some of the important figures:
- 73% of consumers would be likely to stop purchasing from an organisation if the theft of their data was due to a lack of board-level attention to security
- 74% of consumers would be likely to stop purchasing from an organisation if the theft of their data was due to negligent data handling
- 74% of consumers would be likely to stop purchasing from an organisation if the theft of their data was due to negligent data protection
- 60% of consumers would take legal action if their details were stolen and used for criminal purposes
- 51% of consumers consider security to be a main or important consideration when purchasing, up from 43% the year before
- 48% of consumers would be willing to pay more to work with a provider with better data security
- 91% of consumers believe they should be notified of a breach within 24hrs, 66% believe they should be notified immediately
What do these numbers mean? They mean that the cost of a data breach is much, much higher than our Excel spreadsheets would lead us to believe. In many cases a data breach could mean the difference between a thriving business and a fire sale. It's time to recount the beans and make data security a much higher priority.