deepagopi2011 - Fotolia
Protecting data is no longer just an IT problem, according to a Ponemon Institute study that highlights the damaging impact of data breaches on organisations, with share prices dropping, customer churn increasing, and reputation severely tarnished.
UK company stock prices drop by an average of 5% when a data breach is disclosed, according to the study, which polled IT practitioners, marketers and consumers.
The study tracked the stock price of 113 publicly traded benchmarked companies from 30 days before the announcement of a data breach and 90 days after.
However, the data showed that companies are less likely to see a decline in stock prices if they have a strong security posture through investments in people, process and technologies.
Because of their strong security posture, these companies are better able to respond to the data breach quickly, the Ponemon study said.
The data shows that companies that self-reported their security posture as superior and responded quickly to the breach event recovered their stock value after an average of just seven days.
In contrast, companies with a poor security posture at the time of the data breach and a slow response to the incident experienced a stock price decline lasting more than 90 days on average.
The difference in the loss of share price between companies with a low and a high security posture averaged 4%.
Similarly, organisations with a poor security posture were more likely to lose customers, while a strong security posture supports customer loyalty and trust, the study found.
Of those consumers affected by one or more breaches, 65% said they lost trust in the breached organisation and 27% said they discontinued their relationship.
The study found that those companies that experienced a customer loss rate of less than 2% had an average revenue loss of $2.67m, compared with average losses of $3.94m for oganisations that lost more than 5% of their customers.
Human behaviour specialist and independent cyber security consultant Jessica Barker said: “With so many data breaches hitting the headlines, there can be a sense of defeatism among some organisations.
“Breaches are seen as inevitable, so some organisations question the value of spending on security when it won’t make them 100% secure. However, this research has found that investing in security helps protect the organisation when even the worst happens, as companies with a strong security posture experience much quicker stock price recovery than those with a poor security posture following a data breach.”
Another key finding of the study was that although chief marketing officers (CMOs) and IT practitioners agree that the top impact of a breach is loss of band value and reputation, more than one-third do not believe brand reputation is taken seriously by the C-suite.
They disagree on brand responsibility, however. IT practitioners do not believe brand protection is their responsibility, while CMOs allocate more money in their budgets to brand protection than IT.
Some 42% of CMOs said a portion of their marketing and communications budget is allocated to brand preservation and 60% of these respondents said their department collaborates with other functions to maintain the brand. However, only 18% of IT practitioners said they allocate a portion of the IT security budget to brand preservation and only 18% collaborate with other functions on brand protection.
According to the study, consumers expect more responsibility for safeguarding personal information than companies are willing to assume.
While 79% of consumers polled said organisations have an obligation to take reasonable steps to secure their personal information, only 64% of CMOs and 66% of IT practitioners agree.
And while 73% of consumers surveyed believe organisations have an obligation to control access to their information, only 46% of CMOs and 44% of IT security practitioners believe this is an obligation.
The study found that consumer trust in certain industries may be misplaced. Some 68% of consumers said they trust healthcare providers to preserve their privacy and to protect personal information, compared with just 26% who said they trust credit card companies.
And yet healthcare organisations account for 34% of all data breaches, while banking, credit and financial organisations account for only 4.8%. Banking, credit and financial industries also spend two to three times more on cyber security than healthcare organisations do, the study said.
The study showed that while 70% of IT practitioners do not believe their companies have a high level of ability to prevent breaches, 58% of CMOs are confident their company would be resilient to a data breach that results in the loss or theft of high-value assets.
The loss of stock price is perhaps a blind spot for CMOs and IT practitioners, the study suggested. Reputation loss due to a data breach is one of the biggest concerns to both IT practitioners and CMOs, but only 23% of CMOs and 3% of IT practitioners said they would be concerned about a decline in their companies’ stock price.
In fact, in organisations that had a data breach, only 5% of CMOs and 6% of IT professionals said a negative consequence of the breach was a decline in their companies’ stock price.
“In this past year alone, we have seen high-profile data breaches, such as Yahoo and TalkTalk, experience the significant consequences that a breach can have on shareholder value and brand reputation,” said Bill Mann, senior vice-president of products and chief product officer at identity and access management firm Centrify, which commissioned the Ponemon study.
“It is clearly a blind spot for the C-suite and it is time leadership recognise that protecting data is no longer just an IT problem, but a bottom-line business concern that needs a holistic and strategic approach to protecting the whole organisation.”
The study underlines the fact that information security is important to any company that is concerned about how it performs on the stock market, said Mann.
“We are constantly trying to educate companies that they need to think about security at the highest level to ensure they have a good security posture and that basic things like patch management are done properly, so that companies are not hit by things like the recent WannaCry ransomware attacks,” he told Computer Weekly.
“Information security needs to become a board-level conversation and there needs to be greater recognition that a breach has a massive impact on a company’s reputation and brand value, so that the right investments are made, the right people are hired, and the correct processes are in place.
“While the study affirms what the industry has been saying for a while, it was a surprise to see that large portions of the IT organisation either said that they are not comfortable with their security posture or that they don’t feel responsible for handling the breaches.”
The study concluded that the effects of a data breach can ripple throughout the company and have devastating and long-term financial consequences. These include reputation and customer loss, decline in revenues, loss of competitive advantage and employees’ inability to be fully productive.
But having a strong security posture will reduce the negative consequences of a breach, the study said. A company’s security posture can be improved by having a fully dedicated chief information security officer, adequate resources, participation in threat-sharing programmes and strategic investment in appropriate security enabling technologies, it added.
Strong security posture
IT practitioners are not as confident as they should be in their ability to prevent a breach, the study said. But this can be improved by having a strong security posture that includes an effective data breach response plan.
But to be prepared for the eventual data breach, the C-suite needs to be actively engaged, the study said, noting that in many cases boards of directors, chairmen and CEOs are avoiding responsibility for data breach preparedness despite the potential for damage to reputation and serious declines in stock value.
As well as making companies more resilient to a data breach with security enabling technologies, consumers’ concerns about their personal information should also be addressed, the study said.
As part of data breach preparedness, the study recommended that senior management, especially the chief privacy officer, should be involved in ensuring that their company’s privacy and data-handling practices respect their customers’ expectations to help mitigate customer turnover.