The familiar adage “it’s not a case of if you will be breached, but when” has arguably been a key contributing factor in the rise of ‘security fatigue’. There can be a sense of defeatism among some organisations that a data breach is inevitable so why bother spending precious money and time on security that won’t make you 100% secure?
Research published by Ponemon Institute today has found that investing in security helps protect the organisation when even the worst happens, as companies with a strong security posture experience their stock price recovering much quicker than those with a poor security posture following a data breach.
‘The Impact of Data Breaches on Reputation & Share Value: A Study of Marketers, IT Practitioners and Consumers in the United Kingdom’, sponsored by Centrify, looked at 113 publicly traded benchmarked companies that experienced a data breach involving the loss of customer or consumer data.
Ponemon created a portfolio composed of the stock prices of these companies and tracked the index value for 30 days prior to the announcement of the data breach and 90 days following the data breach. Companies that had a strong security posture and that quickly responded to the breach recovered their stock value after an average of 7 days.
In stark contrast, companies that had a poor security posture at the time of the data breach and did not respond quickly to the incident experienced a stock price decline that on average lasted more than 90 days. The difference in the loss of share price between companies with a low security posture and a high security posture averaged 4%.
As well as examining the stock price impact of a data breach, the research also elicited the views of three diverse groups who have in common the ability to influence share value and reputation: IT practitioners, Chief Marketing Officers (CMOs) and consumers. This identified some telling blindspots, which suggest there is a still a need for greater joined-up thinking in organisations when it comes to cyber security.
Reputational damage was regarded by both IT practitioners and CMOs as one of the biggest concerns following a data breach, and yet only 23% of CMOs and 3% of IT practitioners say they would be concerned about a decline in their companies’ stock price. In organisations that had a data breach, only 5% of CMOs and 6% of IT professionals say a negative consequence of the breach was a decline in their companies’ stock price. It seems there is a need for Chief Financial Officers to communicate more effectively with the IT and marketing departments of their organisations about the financial impact of a data breach.
Ponemon also identified gaps between how consumers, IT practitioners and marketers perceive privacy and security obligations. While 73% of consumers surveyed believe organisations have an obligation to control access to their information, 46% of CMOs and 44% of IT security practitioners believe this is an obligation. With the GDPR coming into effect in 12 months, it is surprising – and concerning – that more IT practitioners and CMOs are not aware of their existing obligations, and how they are likely to become more demanding.