Despite the increasing number of successful cyber-attacks on major commercial organisations (JP Morgan, Sony, Anthem etc.) in the last two years, it appears that commercial organisations are still underestimating the risks and potential damages associated with a large scale loss of sensitive data..
Security experts continue to reveal that too many organisations also under-invest in effective security plans. US expert Bob Jensen, currently on a month long speaking tour of Australia, joins the queue:
“Cyber threats are rapidly evolving and are now a bigger potential risk to businesses than terrorism events.”
It’s a fairly bleak proclamation but it’s also easy to see how this could be the case. Business continuity planning is now an integral part of any organisation’s long-term strategy – Cloud-based IT and communications offer resilience and continuity of service that makes businesses geographically independent. Mirrored systems, automatic fail-over, power redundancy, intelligent call routing and queuing.. the list goes on. Should disaster strike, most major organisations are able to provide business as usual whilst barely missing a step.
But what happens if instead of losing power or connectivity to a site, you lose a shed load of sensitive data? Data breaches have become headline news over the last couple of years; hardly a week goes by without someone announcing the loss of thousands, if not millions, of customer records. At what point does enough become enough? When do we get to the point that “we’re mad as hell and we’re not going to take it any more!”.
Well, I’d say we’re just about there. President Obama and Prime Minister David Cameron have been vocal about the role of encryption recently. Cyber security made it into Obama’s State of the Union address, the Sony breach featured in the opening monologue at this year’s Golden Globe Awards and the calls for mandatory breach notifications are heard loud across the world.
The underestimation of risk may be because there haven’t been enough high profile penalties for data loss cases. This too is changing as we see a range of court cases underway that promise to see record financial penalties issued to companies who have suffered data breaches. In addition to punitive damages, there are a range of additional direct costs associated with data breaches, including consultancy fees, new technology and compensation.
Two of the high profile breaches in 2014 (Target and Home Depot) give some insight into the potential costs of a successful breach. By the end of the year, Home Depot reported over 40 separate legal actions filed against them and over $40 million in breach-related costs. It is the likes of Target, however, that could prove to be the object lesson from which everyone learns the true cost of a data breach.
At the end of their last quarter, Target reported $248 million of breach related expenses; though this may be just the tip of the iceberg as the PCI is gunning for them. Whilst estimates vary, Target could find themselves on the wrong end of a $1 billion fine from the Payment Card Industry Data Security Standard enforcers. It doesn’t matter how big your business is, that’s got to hurt.