September 20, 2011

DigiNotar collapse underscores impact of a breach

Each winter, when the Ponemon Institute releases its annual "Cost of a Data Breach" study, we are reminded of the financial and reputational damage that a data-leakage incident can deal a victim brand.

This year's study found that breaches cost organizations $7.2 million on average in 2010. Business-related costs, such as customer loss and decreases in employee productivity, account for the largest proportion of total breach expenses. Other cost areas result from detection or discovery of the breach, notification and response activities to help victims.

Yet despite this, many of the companies that have experienced massive breaches in recent years (think: TJX, Heartland Payment Systems, Epsilon, and Sony) all seem no worse for the wear. Sure, stock prices may have taken a brief hit, or losses may have piled up due to certain factors, like paying for identity protection for customers. But by and large, big-name organizations that have been compromised of, in some cases, tens of millions of credit card numbers, have stuck around and even flourished. This video on The CMO Site, while short on statistics outside of a couple of anecdotes, makes a relatively compelling argument that breaches cause no lasting damage to brands.

Perhaps credit is due the sheer size of these companies, that they are financially healthy enough to overcome breach-related fees or a percentage loss of their customer base (Ponemon has pointed out that post-breach churn rates hover near 4 percent). Or maybe customers have become increasingly desensitized to hacks. They receive so many notification letters in the mail, how can they possibly take their business elsewhere, when, chances are, the alternative will be compromised too at some point?

Are breaches simply a part of doing business?

Not so fast. Just when you thought a brand will bend, but not break, in the wake of a breach, look no further than DigiNotar, the Dutch-based certificate authority that went bust a mere three weeks after admitting that its systems were infiltrated to issue counterfeit SSL credentials.

Of course, DigiNotar is different than, say, a traditional retailer. Not to mention it is in the business of security. But a company is a company. And the minute people stop trusting you – quite literally in DigiNotar's case – doom is on the horizon.

So let this case be a wake-up call that information security must be valued as a business-enabler. And if it's forgotten about, it could be a business-ender.

Previous Post
Next Post
Related Articles
Related Topics
close

Next Article in The News Team Blog

Sign up for our newsletters

POLL

More in The News Team Blog

Here are eight cyber crooks who got less prison time than Andrew Auernheimer

Here are eight cyber crooks who got less ...

The security researcher and self-proclaimed internet troll earned 41 months behind bars Monday for his role in using a script to retrieve data on roughly 120,000 Apple iPad users from ...

The White House thinks Julian Assange and Jeremy Hammond are no different ...

Whistleblowing organizations like WikiLeaks and accused hacktivists like Hammond are not foreign spies lusting to plunder intellectual property from U.S. corporations and government agencies in order to profit and gain a competitive advantage.

Obama would prefer to prosecute leakers than discuss Stuxnet

The FBI and DoJ are targeting high-level U.S. officials in hopes of learning who released classified information about Stuxnet to the press. What the government is not doing is publicly explaining why it launched Stuxnet.