Virtually everything reported about data breaches is about how expensive they are.
But apparently not for everybody. CBS MoneyWatch reported recently that one of the prime reasons the biggest companies don’t address their security vulnerabilities is that the cost of a breach – even what is viewed as a catastrophic breach – amounts to “chump change” as a percentage of overall revenue.
One example cited was the 2014 Home Depot breach, when hackers were able to steal 56 million credit and debit card numbers and 53 million email addresses. It cost the company, “only a net $28 million, after a $15 million insurance payment. That's less than 0.01 percent of the company's 2014 revenue,” the report said. It also apparently cost only 50 cents per card compromised.
Of course $28 million is a lot of money. But convert the percentage loss to the personal income level, and it would amount to $100 for somebody making $100,000. More than a parking ticket, but yes, chump change, relatively speaking, especially if hardening your security defenses would cost two or three times that.
Even the costs of the high-profile breach of mega-retailer Target at the end of 2013 – 40 million debit and credit card numbers and 70 million other records that included addresses and phone numbers – didn’t cut significantly into the company’s bottom line.
The gross loss of $252 million during 2013 and 2014 was whittled down to $105 million after $90 million in insurance payments plus tax deductions. That amounted to about 0.1% of the company’s 2014 revenue, and a net cost of less than $2 per record compromised.
Indeed, CSO reported last week that a 2014 Verizon survey of 191 insurance claims filed in 2014 concluded that the average cost per record was only 58 cents.
How can this be, in light of the Ponemon Institute’s “2015 Cost of Data Breach Study: Global Analysis,” which reported that the average cost per record compromised had increased from $159 to $174?
According to Larry Ponemon, chairman and founder of the institute, it is all about context and the study sample. The Ponemon survey covered only breaches that ranged from 5,000 to 100,000 records compromised, because that is the range for the vast majority of them. (Read the full story about the cost of a data breach according to two surveys.)
That leaves out the multi-billion-dollar companies that get the most headlines when they get breached. And the costs “do seem to flatten out at around $17 per record” once the number reaches into the millions, he said.
“These mega-breaches are rare,” he said, “so they tend to skew the results.”
Another reason that the leaders of large corporations may figure that it is not worth the effort and cost to improve security is that brand damage is apparently not long-term. The public, increasingly accustomed to hearing about major hacks and data breaches on a regular basis (more than 100,000 IRS taxpayer records compromised and the breach of 4 million employee records from the U.S. Office of Personnel Management are just two recent examples), may view it as a “new normal.”
But for companies outside the Fortune 1000 level, the net cost of the breaches can still hurt a lot, Ponemon said.
That is the message from other studies of data breach costs. A 2014 report by New York Attorney General Eric Schneiderman titled “Information Exposed: Historical Examination of Data Breaches in New York State” that covered the years 2006-2013, described their costs as, “nothing short of staggering,” noting that the combined losses in 2013 alone for organizations doing business in New York were $1.37 billion.
And those costs keep going up. Ponemon’s most recent report found that the average total cost of a breach had increased 23% over two years, to $3.79 million. For a corporation worth billions, that is not much, he agreed, but said it amounts to significant money for the vast majority of smaller organizations.
Beyond that, experts say that the “soft costs” of data breaches, even for really big companies, can go far beyond the direct costs reported, meaning it is not as “cheap” as it appears.
Some estimates of the total costs of the Target breach range to more than $1 billion, including a drop in profits of 46% in the fourth quarter of 2013 compared to the year before.
Other costs cannot be quantified directly, but can still be significant, such as lost future sales.
“We cannot simply look at potential loss based on the number of compromised records,” said Rob Kraus, director of research at Solutionary. It also has to include, “the impact of consumers who were looking to make purchases in the future – new consumers.”
Muddu Sudhakar, CEO of Caspida, also said there are costs that may be hard to calculate since they occur over time. “Data breaches have multiple costs – direct breach recovery, lost revenue, contractual risks, reputational damage, and lost competitive advantage when intellectual property is compromised,” he said.
And, of course, they can have a very direct impact on company leaders. The CEOs of both Target and Sony resigned following the breaches of their companies.
Nat Kausik, CEO of Bitglass, added that in industries outside of retail, such as healthcare and financial services, “data breaches can have significant penalties associated with loss of compliance.”
Ponemon said it is not just customers who pay attention to the reputation of an organization either. The failure to address security can affect a company’s relationship with its partners. “If they know you’re not serious about security, they may stop sharing information with you,” he said.
Sudhakar agreed. “If you move from the consumer space to the B2B space, enterprises are very careful about who they partner with,” he said. “They know that a breach of their intellectual property can have catastrophic consequences in terms of revenue and lost competitive advantage.
And, of course, cyber criminals are bound to notice even an unspoken message that a company is lax about security.
“Hackers opportunistically hack vulnerable enterprises first. The weakest bank, the weakest retailer, the weakest healthcare organizations get hacked first,” Kausik said.
Finally, the liability costs of breaches could ramp up. “At some point we're likely to see more of these breaches make it up to the point of class-action suits and this will increase the loss potential of enterprises as well,” Kraus said.
In general, experts say it is dangerous for any organizational leader to assume that breaches are rare. Many are not required to be reported publicly. And the mantra among security experts for years has been that there are two kinds of companies: Those that know they have been breached, and those that have but don’t know it yet.
“You could make the argument that large corporations should not invest in fire insurance, sprinklers or smoke detectors because the risk of a fire is so remote,” Sudhakar said. “But that is a fallacious argument – businesses protect themselves from fires even if the possibility is slight.”
Kraus compared breaches to cockroaches. “You see one, but do you not see the other thousand hiding in the walls or under the sink,” he said. “I don't believe most CEOs actually understand the threats that are out there today.
“They excel at driving businesses to success and are very well versed in ensuring the enterprise is successful, but I do not put a lot of faith into most when it comes to approaching how to secure the organization.”
Ponemon warns that a failure to address security can also turn a small problem into a big one. “The Anthem breach started with 10 or 20 records. But then they realized, ‘Hey, no one’s spotted us,’ and it got much bigger. Hackers are trying to test the limits of our systems.”
Kraus said security needs to be viewed more as an investment than a drain on the bottom line.
“I strongly recommend that organizations approach security using a tactical and strategic road map,” he said. “It should be viewed as, ‘This is the money we need to spend over the next three to five years, to save or mitigate losses, resulting in an expected return on investment.’”
This story, "Breach costs: ‘Chump change’ to bottom lines of big players" was originally published by CSO.