Wonga, Yahoo and TalkTalk are just some of the countless high-profile breaches we have seen take place over the past twelve months all of which have illustrated just how damaging a data breach can be. While exposure of valuable data is probably the number one consequence, the extended impact on customer trust, shareholder value and brand reputation can be just as devastating. A recent Ponemon Research study commissioned by Centrify examining the impact of data breaches on reputation and share value has highlighted an average share price drop of five per cent, an increase in customer churn and brand reputation severely tarnished. As we now discover just as interesting is what happens after the breach and how maintaining a high security posture can positively impact recovery time.
Security posture matters
As part of this study the index value of 113 publicly traded benchmarked companies who had experienced a data breach involving the loss of customer or consumer data was tracked 30 days prior to the announcement of the data breach and then for 120 days following the data breach. These companies experienced a 5 per cent price decline immediately following the disclosure of the breach but more revealing is that those companies who have made investments in people, process and technologies and categorised as a strong security posture were less likely to see a decline in share prices mainly because they are better equipped to respond.
Companies with a self-reported superior security posture saw a decline of no more than three per cent, and after 120 days following a breach and actually recovered with a three percent gain in stock price prior to the breach. In stark contrast, those with a poor security posture experienced a share price decline as high as seven per cent, and 120 days following the breach, did not fully recover the share price it had prior to the breach.
Measuring Security Posture
Security posture is measured by the Security Effectiveness Score (SES), a proprietary methodology developed by Ponemon Institute for its annual encryption trends survey to define the security posture of responding organisations. The SES is derived from the rating of numerous security features or practices. A high favourable score indicates that the organisation’s investment in people and technologies is both effective in achieving its security mission and is efficient.
Data breaches are widespread and companies with both a positive and negative security posture can experience the loss or theft of sensitive and confidential information but what’s obvious is that those with a strong security posture are more resilient so a detrimental impact on stock price is less likely than those with a weak security posture. Companies that possess a high security posture displayed the following attributes:
- Fully dedicated CISO
- Adequate budget for staffing and investment in enabling security technologies
- Strategic investment in appropriate security enabling technologies, especially enterprise-wide encryption
- Training and awareness programs designed to reduce employee negligence
- Regular audits and assessments of security vulnerabilities
- A comprehensive program with policies and assessment to manage third-party risk
- Participation in threat sharing programs
Conversely those with a low security effectiveness score and therefore with a poor security posture can be characterised by their lack of incident response plans, funding for staffing and investment in enabling security technologies is limited or inadequate, they will have a frequent turnover of IT security personnel, poor data retention practices, the C-Suite places a higher value on workforce productivity rather than security and the cross business collaboration to determine IT security priorities.
The study gathered the views of IT and Marketing professionals and what was evident was the disconnect between these roles and their beliefs around the effects of a data breach for example a startling 71 per cent of IT practitioners do not believe that brand protection is their responsibility.
70 per cent of IT practitioners do not believe their companies have a high-level ability to prevent breaches, however 58 per cent of CMOs are confident that their company would be resilient to a data breach that results in the loss or theft of high value assets.
There’s a clear blind spot when it comes to data breaches and the impact they have on share price. Just 23 per cent of CMOs and 3 per cent of IT practitioners are concerned about a decline in their company’s share price. For those that had a breach, only five per cent of CMOs and six per cent of IT professionals say that there was a decline in share price as a result of the breach.
CMOs are more concerned than IT practitioners about the preservation of their companies’ brand and reputation. Whereas, IT practitioners believe their primary role is protecting their organisation’s sensitive and confidential information so 71 per cent don’t think brand protection is their responsibility.
CMOs would like IT practitioners to take more responsibility with 65 per cent of CMOs believing that IT should take responsibility for brand protection. They are both in agreement: 39 per cent of IT practitioners and 36 per cent of CMOs don’t believe that brand protection is not taken seriously in the C-Suite.
There are other interesting differences between CMOs and IT practitioners in perceptions about the relationship between reputation and security. Only, 43 per cent of IT practitioners do recognise a material cybersecurity incident or data breach would diminish the brand value of their company, but a much higher percentage of CMOs (76 percent) believe a material breach is a threat to brand value. Very few CMOs and IT practitioners are likely to believe a strategic security infrastructure is a competitive advantage (both 38 percent of CMOs and IT practitioners).
From the top down
Today many organisations view breaches as inevitable which can create a sense of defeatism and leads to them questioning the value of spending on security when it won't make them 100% secure. However what we have discovered from this research is that investing in security helps protect the organisation when even the worst happens, as companies with a strong security posture experience much quicker stock price recovery than those with a poor security posture following a data breach.
Driving a strong security posture must emanate from the c-suite but for many it’s still a blindspot. A joined-up approach is essential and leadership must recognise that protecting data is no longer just an IT problem, but a bottom-line business concern that needs a holistic and strategic approach to protecting the whole organisation.
Bill Mann, Senior Vice President of Products and Chief Product Officer at Centrify
Image Credit: ESB Professional / Shutterstock