I’m always fascinated by reported figures and research statistics about the costs of security incidents. Generally they represent just the tip of the iceberg, because in practice you can’t nail down the lost sales, reputation damage and future legal claims that are directly attributable to the incident. Security researchers, most notably
the Ponemon Institute, have attempted to measure the costs of a data breach by analysing the total recovery costs, averaged across a number of real-life incidents. These figures suggest that the full cost of such breaches is likely to be as high as $100 to $200 per compromised customer account.
But real life rarely conforms to the projections of researchers and organisations can of course be very different in their scale, brand value and crisis response. So it’s interesting to note the unfolding claims and facts surrounding high profile incidents such as the recent data breach at TJ Maxx, which involved the nightmare scenario of a compromise of more than 45 million customer credit card details. Many analysts and pundits (including myself) were quick to speculate on the long term cost of this breach. Estimates of damages of the order of billions of dollars were suggested. Some security experts even thought they might be one of the first companies to be wiped out by a single security incident. So several months on, how has it turned out?
Well the costs are certainly significant. TJX’s second quarter results indicate that a figure of $130 million has been set aside so far this year to cover costs and potential liability. This is reported to include a staggering $11 million in security consultancy fees. By my reckoning that would buy you a security department several times bigger than the average Fortune 100 organisation. It’s not chickenfeed. But it is a long way from than billion dollar hit forecast by the pundits. And an organisation turnover measure in billions can easily survive a once-off hit of this size.
So after all, does the real, eventual size of the damage really matter? Probably not a lot in practice. Because a $100 million hit is more than sufficient to persuade Boards to take security very seriously indeed. And estimates of many further consequential damages, such as future lost sales, are largely academic, as they're not measurable and will never be known.