One would think that by spring of 2015, every business in the country would not only admit to fears about their cybersecurity posture, but be actively engaged in strengthening their capability to effectively respond to cyber attacks. In large measure that is true. For example, the Association of Finance Professionals says 71% of its member organizations having increased spending dedicated to mitigating possible cyber attacks over the past year and a quarter, boosting spending by at least 50%. But what about the others? The outliers?
There is another line of thought emerging which is very interesting. There are some who believe that the very reputation of a company provides sufficient protection against cyber threats. The reasoning goes like this. The biggest brands can easily sustain the costs of a significant cyber breach. Apostles of this reasoning point to high profile breaches like those sustained by Sony or Target and suggest that the actual damage to the bottom line is not big enough to warrant significant investment in data security.
Taken at face value, Sony’s estimate that the costs of investigation and remediation activities stemming from the recent breach at Sony Pictures and Entertainment would be $35 million through March 31, 2015, seems a drop in the bucket for a company of Sony’s size. However, the Ponemon Institute’s 2014 Global Report on the Cost of Cyber Crime states that investigation and initial remediation activities like incident response and management represent about a third of the cost of a breach. This suggests Sony’s cost might approach $100 million. One assumes companies of Sony’s size do not readily embrace $100 million losses, but can sustain them and continue to do well. Yet consider that these losses may tell only part of the story.
Begin with the obvious. Sony is a technology company. Its reputation clearly has taken a hit, given that this latest breach was preceded by the Sony Playstation breach in 2011 which cost an estimated $177 million. Suffering two high profile breaches in a short period will call into question security practices, a likelihood sure to play out in the litigation ensuing from the Sony Pictures breach. Amy Pascal, Co-chair of Sony Pictures, lost her job after embarrassing information taken during the breach was made public. The information that was taken and released alienated employees, compromised strategic plans, and altered production schedules. Perhaps even more significantly, we do not know the extent of the intellectual property that was taken, and how much potential future revenue will be foregone because of its loss. This last point is worth examination. The loss of intellectual property can seriously compromise the future plans of any company.
Your brand and reputation may well contribute to your resiliency. High end, well established brands with loyal customer bases will have a far better opportunity to mitigate their losses from a breach than will brands with little reach and modest reputation. But make no mistake, the brand and reputation will be affected. Just how much will depend on how well the company does in managing response to the breach. Keep in mind that there is no guarantee that you will not suffer multiple breaches, each taking its toll, and collectively calling into question how seriously the company takes its responsibility to protect its data. It is fiscally prudent to ensure that the practices you adopt in cybersecurity represent recognized best practices.
By Tom Davis, SDI Cyber Risk Practice
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
March 24, 2015