top of page
Search

Data Breach, Security Culture, and Your Customers

  • Writer: Dr. Mike Bonnes
    Dr. Mike Bonnes
  • Dec 15, 2023
  • 4 min read

Large and small companies should consider this article when developing their security budgets and culture. Here are some stats to think about.

    

 Ponemon released a report on the Impact of Data Breaches on Stock Prices and Customer Losses of breached companies. In the report, these companies experienced an average stock price decline of 5 percent immediately following the disclosure of their breach.

    

 Notably, the companies that are less likely to see a continual decline in stock prices are the companies that have robust security models built through investments in people, processes, and technologies. Because of this strong security commitment, these companies can quickly respond to the data breach. Due to a quick response to the breach event, those businesses recovered their stock value in an average of 7 days.

    

Now if you were to contrast this with the companies that have no security or little security around customer data or have the belief that security is not a needed part of the business culture, they were not able to respond to the data breach quickly; those companies experienced a stock price decline that on average lasted more than 90 days. On top of that, companies with a poor security model were likely to lose customers. Customers who were identified in the breach had been surveyed. They said they discontinued their relationship with the company with a data breach. 65% of the customers identified in a breach said they lost trust in the breached business.

    

 Of the companies in the research, those that experienced a data breach had seen an average revenue loss of 2.67 million. A business that experienced a more significant breach experienced an average revenue loss of 3.94 million. Since all this evidence points to the responsibility of the business to protect personal data, marketing leaders believe that data breaches directly impact the brand.

    

What customers believe and expect

    

 80% of customers believe businesses must take reasonable steps to secure their personal information. Some business leadership disagrees with customers that they must protect personal data beyond their bare minimum standard.

    

 This disparity in responsibility beliefs speaks to the most significant issue in data security. A business that handles personal data in its business process does not believe it is responsible for protecting data. Why is this? Is it the pursuit of revenue that they are willing to expose the customer's data to risk? (rhetorical statement) Or is it because they do not expect the breach to impact their business substantially, should a breach happen? Or is it the human nature belief 'that it won't happen to me". Whatever the business believes or does not believe. If they breach, expect customers to walk away, be prepared to spend a great deal of money to get them back, and, most of all, hope they do not stay away.

    

SES Score

    

 The Ponemon Research report defines the business by the Security Effectiveness Score Attributes, for example:

    

 A business with a high SES had:

      

  •  A CISO

  •  Sufficient budget for staffing and investment in security technologies  

  •  Strategic investment in appropriate security people processes and technologies

  •  Security Training and programs designed to reduce employee   unintentional security errors 

  •  Regular audits and assessments of security vulnerabilities

  •  The business had a comprehensive security program with policies and Risk assessments to manage internal and third-party risks.   

  •  Participation in threat-sharing programs. 

    

 A business with a low SES had:

   

  •  Lack of incident response plans or tested plans.

  •  Frequent turnover of IT security personnel 

  •  Poor data retention practices

  •  Leadership values the productivity of the workforce over security  

  •  Lack of collaboration between lines of business and IT security in determining IT security priorities.

    

 What is the relationship between share value and a substantial value using the SES value?

    

 Companies with a high SES had a decline in stock value of no more than three percent following the disclosure of the breach (“0” day) 90 days after the breach. The stock index value showed a three percent gain above the stock price before the breach. Companies with a superior security model and showed a quick reaction to the data breach event recovered the stock value in a week. While companies with an inadequate security model in place, the stock price did not fully recover after the breach. Those companies with an inadequate security model experienced a decline in the stock price over 90 days. 

    

 So, with all this evidence presented here, what do the customers believe? 69% of the polled customers found the highest importance of privacy and security practices is the responsibility of the business and the government. Only 26% believe that business and the government protect their personal information. Only 21% of customers believe they have control over their personal information. Here is the key finding 80% of customers “expect” companies to protect their data.

    

 Do you meet the expectations of your business partners and customers on protecting regulatory data or credit card data?

    

 I want to loosely apply the SES score for a general feel of how your business fares on its security beliefs and culture, all in the spirit of this article. Let’s build a baseline value, say at 100%, as the Highest SES you want to achieve. A strong business resilience.

    

  •  Give your business 20 % SES if a CISO is in leadership and fully engaged. 

  •  Give your business 20 % SES If an adequate budget for staffing and investment in security technologies is set aside.

  •  Give your business 15% SES if a strategic investment is made in appropriate security technologies and knowledgeable staff. 

  •  Give your business 15% SES for Training and awareness programs to reduce employee negligence.  

  •  Give your business 10% SES if regular audits and assessments of security vulnerabilities are performed.

  •  Give your business 10% SES for a comprehensive program with policies and appraisal of third-party risk.

  •  Give your business 10% SES Participation in threat-sharing programs. Infragard etc

  •  Subtract from your business 30% SES because of a Lack of incident response plans or thoroughly tested plans.

    

 Subtract from your business 30% SES because of Inadequate funding for staffing and investment in security technologies.  

Subtract from your business 15% SES because of the frequent turnover of IT security personnel.   

 Subtract from your business 20% SES because of Poor data retention practices.   

 Subtract from your business 80% SES because leadership values productivity of the workforce over security Belief (affirming the belief to the workforce that customers do not come to your business for security)

Subtract from your business 40% for lack of collaboration between lines of business and IT security in determining IT security priorities.

 Well, you know you are ripe for breach, and recovery will be an uphill battle if you have to subtract more than 100%

 This little exercise will help you understand your security culture in general.

 
 
 

Recent Posts

See All

Comments

©2020 by Dr. Bonnes Portfolio. Proudly created with Wix.com

bottom of page