Each winter, when the Ponemon Institute releases its annual "Cost of a Data Breach" study, we are reminded of the financial and reputational damage that a data-leakage incident can deal a victim brand.
This year's study found that breaches cost organizations $7.2 million on average in 2010. Business-related costs, such as customer loss and decreases in employee productivity, account for the largest proportion of total breach expenses. Other cost areas result from detection or discovery of the breach, notification and response activities to help victims.
Yet despite this, many of the companies that have experienced massive breaches in recent years (think: TJX, Heartland Payment Systems, Epsilon, and Sony) all seem no worse for the wear. Sure, stock prices may have taken a brief hit, or losses may have piled up due to certain factors, like paying for identity protection for customers. But by and large, big-name organizations that have been compromised of, in some cases, tens of millions of credit card numbers, have stuck around and even flourished. This video on The CMO Site, while short on statistics outside of a couple of anecdotes, makes a relatively compelling argument that breaches cause no lasting damage to brands.
Perhaps credit is due the sheer size of these companies, that they are financially healthy enough to overcome breach-related fees or a percentage loss of their customer base (Ponemon has pointed out that post-breach churn rates hover near 4 percent). Or maybe customers have become increasingly desensitized to hacks. They receive so many notification letters in the mail, how can they possibly take their business elsewhere, when, chances are, the alternative will be compromised too at some point?
Are breaches simply a part of doing business?
Not so fast. Just when you thought a brand will bend, but not break, in the wake of a breach, look no further than DigiNotar, the Dutch-based certificate authority that went bust a mere three weeks after admitting that its systems were infiltrated to issue counterfeit SSL credentials.
Of course, DigiNotar is different than, say, a traditional retailer. Not to mention it is in the business of security. But a company is a company. And the minute people stop trusting you – quite literally in DigiNotar's case – doom is on the horizon.
So let this case be a wake-up call that information security must be valued as a business-enabler. And if it's forgotten about, it could be a business-ender.