Data security breaches are no longer just an IT problem—they’re a C-suite problem. By now this should be obvious to everyone. Today’s advanced hackers — including cybercriminals, nation states, hacktivists and malicious insiders—are perpetrating ever more targeted, dangerous and frequent attacks. And the cost of these attacks is growing fast. The average total cost of a breach was $4 million in 2016, up 29 percent since 2013.
And yet security is still not top of mind in the C-suite. Too many CEOs still consider security breaches merely a cost of doing business — rather than a serious threat to their companies. They know breaches cast a long shadow, but they tend to look at the bright side. They figure they can simply buy cyberinsurance or set aside emergency funds for that rainy day.
What they don’t understand is that the costs of a breach run very deep. A new Ponemon study commissioned by Centrify confirms that a data breach can cripple an entire organization, negatively impacting company value, business productivity and brand reputation. Specifically, the study found that company stock prices fall an average of five percent on the day a breach is exposed.
And it gets worse. Companies often lose a third or more of their customers due to a breach. The new study found that 31 percent of consumers will discontinue their relationship with a breached organization and 65 percent will lose trust in that organization.
This study should serve as a wakeup call for every senior executive. No one wants to be the next Yahoo, which suffered two massive data breaches, affecting an estimated one billion accounts -- and resulted in a $350 million reduction in the company’s sale price to Verizon. In a more recent example, Chipotle, which rose as much as 6.8 percent after reporting better than expected Q1 earnings saw its gains cut in half when it revealed it had experienced a data breach. The cost to Chipotle shareholders? Over $400 million. When a breach can decimate your valuation and destroy your customer base, it’s time for the C-suite to sit up and take notice. Their tenure may depend on it.
Here’s the bottom line: security is a core business concern that demands the attention of the CEO, the C-suite and the board of directors. In fact, a breach can damage a company’s image for good. The Ponemon study found that breaches rank in the top-three most negative impacts to brand reputation, following terrible customer service and environmental disaster — and higher even than a scandal involving the CEO. Yet, in many organizations, security is relegated almost entirely to IT. And according to the study, 61 percent of IT practitioners do not believe their companies have a high level of ability to prevent breaches.
When you couple this with the 71 percent of CMOs who believe the biggest cost of a security incident is the loss of brand value and the whopping 66 percent of IT respondents who do not believe protecting their company’s brand is their responsibility, one quickly sees a glaring and potentially disastrous internal disconnect.
Perhaps even more alarming is the misalignment between companies and consumers regarding the protection of personal information. Eighty percent of consumers believe organizations have an obligation to take reasonable steps to secure their personal information. But only 64 percent of IT professionals agree. Once breached, consumers don’t easily forgive or forget.
This new report serves as a wake-up call to every organization that security isn’t just about protecting data, it’s about protecting the business. It can no longer be considered just an IT problem -- it must be elevated to the C-suite and boardroom because it requires a holistic and strategic approach to protecting the whole organization. But these decision-makers need to fully understand the security problem, because most organizations aren’t making smart security investments.
Companies will spend more than $80 billion on cybersecurity in 2017. But that massive amount of money is not making a dent in the problem. A recent Forrester study found that an astonishing two-thirds of all organizations were breached in the past two years—and many of them suffered multiple breaches.
Why? Because companies continue to invest in digital firewalls and endpoint security to protect their assets, and these are not protecting them from a breach. Today, with the rapid introduction of new technologies, platforms, applications and practices, companies are operating in a very different security landscape. As organizations move their data to the cloud, share it with partners and allow their employees to access data from almost any location on their PCs, smartphones and other devices, billions of new connection points are been created and with it, just as many potential vulnerabilities.
In fact, employees are now ground zero when it comes to vulnerability. The latest Verizon Data Breach Investigations Report revealed 81% of breaches came from compromised credentials—i.e. stolen user IDs and passwords. What’s more, Forrester now estimates that 80 percent of security breaches involve privileged credentials. Yet, of the $80 billion spend on cybersecurity, less than 10 percent is targeted at identity and accessmanagement technologies designed to stop breaches.
It’s not vital for C-suite execs to be cybersecurity experts. But they do need to have the right investment priorities. And if they do, they will benefit. Companies that invest in Identity and Access Management (IAM) best practices—such as taking the appropriate steps to secure privileged identities—experience far fewer breaches compared to companies that do not, according to a the Forrester survey. These companies are 50% less likely to experience a breach. And even better, employing IAM best practices can result in organizations spending 40 percent less on technology.
Here's the reality: Breaches don’t have to happen. But to ensure they don’t, leadership needs to make stopping them a business priority.
Learn more about the “Impact of Data Breaches on Reputation & Share Value” report here.
This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.