Top executives from credit reference agency Equifax and the Marriott hotel chain appeared recently at a Senate hearing as part of an investigation into two of the largest data breaches in history.
The hack of Marriott's Starwood guest database, revealed last year, affected passport numbers and credit card details belonging to 383 million customers, while Equifax lost consumer credit data for 143 million people which has never been recovered.
In 2018, several more of the world' biggest global brands experienced leaks and hacks resulting in customer data being compromised. With T-Mobile, Google, MyFitnessPal and Facebook among those suffering breaches last year, many firms are now realizing they must put cybersecurity at the top of their agenda.
How Much Does a Data Breach Typically Cost a Business?
The 2018 Cost of a Data Breach study from the Ponemon Institute found that the global average cost of a data breach is $3.86 million, with each stolen record costing $148. Cybersecurity Ventures predicts cybercrime will cost businesses globally more than $6 trillion annually by 2021.
The most obvious impact can often be seen in a company's share value. Yahoo's huge 2016 data breach, for example, led acquirer Verizon to knock $350 million off its offer for the business a year later, while Marriott's shares fell 6% on the day news of its hack came out and 20% over 2018 as a whole.
Data is the “new oil”
Ryan Dodd is founder and CEO of Cyberhedge, a firm that calculates the impact of cyber risk on shareholder value. He says institutional investors are considering cyber risk the same way they would any other aspect of corporate governance before deciding whether to invest in a business.
“Any institutional investor knows that the value of data and software and storing data as an asset has enormously transformed what is valuable, in terms of the share price. They all agree that data is the new oil, it drives value, and they intuitively understand that how a company manages that value and protects it should also matter to the share price long term, and it does."
That is why it is so important for companies to recognize the value of customer data and guard it fiercely.
“Marriott is a hospitality company but they lost their most valuable asset, which is their customer data," says Dodd. “Marriott spends a whole lot of money on marketing to understand the customer, and loyalty to the brand is the whole reason why. They bought Starwood for $14 billion to get their customers.”
In November last year when it revealed the hack, Marriott's president and CEO Arne Sorenson apologized and said the firm would learn from the incident: “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
There's no arguing that there is a reputational cost to a data breach, but it can be hard to quantify.
Branding expert Graham Robertson is founder of brand consulting firm Beloved Brands, and has authored a book of the same name. He notes that consumer trust is a vital currency for companies, and failing to protect their customers' data can result in huge damage to brand reputation.
“For brands, all we have is trust, especially when we hand over our personal information. We expect it to be cared for," he says.
He notes data loss is especially bad news for a company with many business clients who tend to value privacy and data protection extremely highly.
“For brands like Marriott, consumers put a lot of faith in privacy, especially as most memberships are for business clients with high end spending. Marriott has a ton of information on their customers, not just what was freely given such as credit cards, phone numbers, addresses and significant others and links to emails and social media," says Robertson.
“On top of that, the reality is that most consumers use common passwords and that puts all their other passwords at risk,” Robertson continues. “As these brands are so closely linked to the consumer's life schedule, it could really cause a lot of damage for the consumer. We saw how hypersensitive consumers were when Facebook lost over 40,000 users per month following their crisis. If Facebook cannot protect their users, it could be a death knell."
How companies handle the fallout from a data breach can affect how much of a hit their reputation takes and whether they can restore consumers' trust. Being open and honest about the scale of the problem helps, as well as learning lessons and taking practical action to prevent a repeat in future.
Companies open themselves up to criticism by not disclosing breaches immediately after they are discovered, which can be months or even years after they have actually happened, as cyberattacks are designed to go unnoticed for as long as possible.
Fighting Back – Too Little Too Late?
Since its cyberattack announced in 2017, Equifax has announced it will spend an additional $1.25 billion on technology and security by 2020, and has hired nearly 1,000 new staff in this area. While it’s commendable that the firm is now taking this issue seriously, it does seem to be a case of closing the stable door after the horse has bolted.
Prevention Better Than Cure
Firms can face a huge range of costs when a breach has happened – from lawyers to defend lawsuits from customers, to cyberforensics experts to work out what happened, and crisis management people to get the right messages across to the public.
Investing in good security upfront costs companies a lot less than dealing with the aftermath of a breach, says Raef Meeuwisse, author of Cybersecurity for Beginners.
“There's a bit of a false economy in not doing cybersecurity correctly because, actually, under-investment can result in much higher damage costs from cybersecurity breaches."
He suggests that, to protect customer data, firms need to make sure security is “embedded by design" rather than an afterthought. “Although there are different levels of cyberattack skills - you get amateur hackers, organized crime and then nation state level - the reality is that most big businesses suffer damage from cyberattacks that are preventable problems. If you look at the root causes of the mega breaches, they still show that there'll be several, critical, major security controls that either were absent or weren't working effectively.
“Part of the challenge is that a lot of organizations still think cybersecurity is a paint that you can apply later on, and that isn't how effective security works."
How Much Should You Spend?
So how much do you really need to spend to get effective security? Deloitte research found the average company allocates just over 3% of its revenue for its IT budget, but Meeuwisse says companies he encounters are often spending just “a fraction of a percent", especially – and perhaps surprisingly – large organizations.
“In my experience, trying to do security later on is often not entirely possible and the expense is often more than hundreds of times greater than doing it by design." Dodd says he would view 3% as a low amount for total IT spend, and would put 6%-7% of revenues as a more realistic figure for companies to aim for.
Security Considerations for All Budgets
But what about organizations which don't have the resources of an S&P 500 firm to throw at their IT spend? Even those with limited budgets can still do a lot to safeguard their data. “It is definitely possible to run effective small business cybersecurity on a budget, but it's all about being brilliant on the basics," says Meeuwisse. He suggests having the latest anti-virus software and firewalls, and updating them within 24 hours of a new 'patch' or update becoming available, before hackers get chance to exploit a weakness. You should also encrypt valuable information (there are free tools available to help you do this) and back it up to at least two safe locations which will not be compromised if your main systems are hacked.
Education: Business owners can educate themselves with free information sources such as the National Institute for Standards and Technology (NIST) or the International Organization for Standardization (ISO). They can then train employees to spot and report phishing scams and avoid mistakes such as clicking on fake links which could let hackers in.
Administrative privileges: Giving staff the lowest administrative privileges possible to do their job is good practice and can help prevent them installing anything that could compromise the business.
Testing: Firms should also conduct a drill to work out how they would do in the event of a hack or a breach. “Think through and test a contingency plan so you know you can get your business back up and running quickly enough if you suffer a major attack," says Meeuwisse.
Tap specialists. Where possible, firms should always bring in a specialist to design their security, he adds. This is because the cyber landscape is vast and made up of rapidly changing threats and defenses, so a generalist IT person cannot be expected to keep pace. Those companies which have a chief information security officer to act as a single point of accountability tend to have the fewest security issues, he notes.
No Sector is Immune
It used to be that financial services companies were the obvious targets of cyberattacks, but now the nature and objective of hacks is changing and this means businesses in every sector are at risk.
Dodd explains: “A really important trend is that the type of attack and the goal of an attacker has shifted in the last couple of years. If in the past there was a desire to steal actual money from accounts or steal customers' names to sell on the dark web, now it is more about ransomware where you're shutting down a company's operations and then asking for money. So business disruption has become a more popular type of attack, and it is something that can happen to any company in any sector."
To safeguard customer data – their most valuable asset – and retain brand trust, forward-thinking businesses will have to start thinking differently about cybersecurity. The cost of not doing so could be enormous in the long run.