[BreachExchange] Data Breaches – Just a Cost of Doing Business or Tip of the Spear for Threats to Business?

[Audrey McNeil]

http://www.infosecurity-magazine.com/opinions/data-breaches-cost-of-doing/

Now that major data breaches have become so commonplace, there is a growing
perception that they are inevitable costs of doing business and resulting
costs need to be paid, with the fallout contained as quickly as
possible—and move on.

Data breach malaise has set in, and some of the public outrage and concern
seems to be attenuated. “It will be news when there’s a day a new data
breach isn’t discovered,” quipped one journalist.

Despite the large costs involved, several pundits have postured that the
resulting data breach costs large enterprises face are a drop in the bucket
compared to revenues and profits they take in. A recent announcement of an
additional cost of $19.5M to the previous costs of $152M for the Home Depot
data breach, might be seen as small as compared to the $21B in revenue they
took in last quarter or the $88.5B for fiscal 2015.

Obviously a smaller company might be devastated by the costs of liability,
investigation and clean up. The more than $171M that Home Depot has had to
allocate—even after a big payout from its cyber insurance policy—for a
single breach is a monstrous number, and could easily wipe out smaller
enterprises.

The real costs of a data breach are varied. One particular ramification is
the impact on customer retention. This was especially well exemplified by
the disaster at TalkTalk, where they recently disclosed that its profits
were half the amount they were for 2015, in part because of the breach.

The impact of a data breach on brand, reputation and customer loyalty may
range from a temporary business set-back to completely putting a company
out of business. In particularly competitive markets, why deal with a
company known to have lost customer details when you could easily choose a
similar vendor without the black mark of a data breach? A 2015 Deloitte
survey showed that 73% of consumers would “think twice about using
companies that failed to keep their data safe.”

Stock price, and the associated market capitalization, is another area of
potential impact. Several reports, including one from KPMG in mid-2015,
assert that investors and investment firms will tend to back away from
companies that have suffered a breach. Perhaps some of the investor fear
comes from the threat of a secondary or subsequent breach due to credential
theft or other information that a cybercriminal may have secretly acquired
in the first attack.  Fear could also involve longer term effects on the
company’s business.

There are other things to worry about besides data theft. Other dangers
that pose far greater threats to the viability of a business. Some of these
include:

Intellectual Property Theft - There is burgeoning world commerce based on
stolen or copied intellectual property, ranging from defense equipment to
computer software or communications equipment and drug designs.

Theft of Other Company Secrets - While not technically IP, law firms are
entrusted with a wealth of secrets and confidential information from their
clients. Loss of this information would not just precipitate large-scale
damage claims and settlements, but it would threaten the very business of
the firm. Who would want to trust a law firm that has proven itself
incapable of protecting the confidential information of its clients?

Data and Code Sabotage - An even more insidious IP threat is looming.
Instead of the outright theft of trade secrets, cybercriminals can
potentially access a software-based product and create a backdoor or
ticking time bomb that they can use for extortion or theft that is orders
of magnitude greater than identity details. Criminals can also manipulate
data or settings in applications. Back in 2004, Microsoft Windows 2000
source code was obtained from a Microsoft partner and leaked out broadly.
The scenario could have turned out differently, where a cybercriminal could
have secretly gained direct access to the source code and modified it. In
2014 string of compromises of European financial institutions enabled cyber
attackers to implant code they later used to steal 100’s of millions of
dollars from banks and ATM’s.

Life and Limb - An extreme form of sabotage could actually directly imperil
life or limb. Already fears have been raised about the vulnerability of
medical devices. Cybercriminals could potentially penetrate hospital
networks and establish a secret control point to commandeer important
medical equipment unless extortion payment is made. Similarly, the networks
of an infrastructure management company, such as operators of a dam or
power plant, could be penetrated and extorted for payment.

The impact of a data breach today where personal information is stolen may
not be calamitous for a large company, but it does not mean that one can
breathe easy. New criminal activities are looming that would produce a far
greater impact on a company’s business. Small and medium enterprises could
be wiped out by the theft of personally identifiable information today, and
certainly could not stand up to the greater threats.

Enterprises of all sizes need to be mindful of the alarm that has sounded.
It’s time to wake up and consider a new approach to protecting businesses
from cyber-attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160623/78ac5ec2/attachment.html>