Data Breach, Security Culture and your customers

Large and small companies think about this article when you develop your security budgets and your security culture. Here are some stats to think about.

Ponemon released a report on the Impact of Data Breaches on Stock Price and Customer Losses of companies that have breached. In the report, these companies experienced an average stock price decline of 5 percent immediately following the disclosure of their breach.

Notably, the companies that are less likely to see a continual decline in stock prices is the companies that have strong security model built through investments in people, process, and technologies. Because of this strong security commitment, these companies can quickly respond to the data breach. Due to a quick response to the breach event, those businesses recovered their stock value in an average of 7 days.

Now if you were to contrast this with the companies that have no security or little security around customer data or have the belief that security is not a needed part of the business culture, they were not able to respond to the data breach quickly; those companies experienced a stock price decline that on average lasted more than 90 days. On top of those companies with a poor security model were likely to lose customers. Customers had been surveyed that were identified in the breach, they said that they discontinued their relationship with the company that had a data breach. 65% of the customers identified in a breach said they lost trust in the business that breached.

Of the companies in the research, those companies that experienced a data breach had seen an average revenue loss of 2.67 million. A business that experienced a larger breach experienced an average revenue loss of 3.94 million. Since all this evidence points to the responsibility of the business to protect personal data marketing leaders believe that data breaches have a direct impact on the brand.

What customers believe and expect

80% of customers believe businesses must take reasonable steps to secure their personal information. While a portion of business leadership disagrees with customers that they need to provide the protection of personal data beyond their bare minimum standard.

This disparity in beliefs of responsibility speaks to the biggest issue in data security. A business that handles personal data in their business process does not believe they have the responsibility to protect data. Why is this? Is it the pursuit of revenue that they are willing to expose the customer’s data to risk? (rhetorical statement) Or is it because they do not expect the breach to have an impact on their business in any substantial way should a breach happen. Or is it the human nature belief ‘that it won’t happen to me”. whatever the business believes or does not believe. If they breach expect customers to walk away and be prepared to spend a great deal of money to get them back and most of all hope they do not stay away.

SES Score

The Ponemon Research report defines the business by the Security Effectiveness Score Attributes for example:

A business with a high SES had:

1. A CISO

2. Sufficient budget for staffing and investment in security technologies

3. Strategic investment in appropriate security people process and technologies

4. Security Training and programs designed to reduce employee   unintentional security errors

5. Regular audits and assessments of security vulnerabilities

6. The business had a comprehensive security program with policies and Risk assessments to manage internal risk and third-party risk

7. Participation in threat sharing programs.

A business with a low SES had:

1. Lack of incident response plans, or tested plans.

2. Frequent turnover of IT security personnel

3. Poor data retention practices

4. leadership values productivity of workforce over security

5. Lack of collaboration between lines of business and IT security in determining IT security priorities.

What is the relationship between share value and a strong value using the SES value

Companies with a high SES had a decline in stock value no more than three percent following the disclosure of the breach (“0” day) 90 days after the breach the stock index value showed a gain of three percent above the stock price before the breach. Companies with a superior security model and showed a quick reaction to the data breach event recovered the stock value in a week. While companies with an inadequate security model in place, the stock price did not fully recover after the breach. Those companies that had an inadequate security model experienced the decline in the stock price longer than 90 days.

So, with all this evidence presented here what do the customers believe? 69% of the polled customers found the highest importance of privacy and security practices is the responsibility of the business and the government. Only 26% believe that business and the government protect their personal information. Only 21% of customers believe they have control over their personal information. Here is the key finding 80% of customers “expect” companies to protect their data.

Do you meet the expectations of your business partners and customers on protecting regulatory data or credit card data?

I want to loosely apply the SES score for a general feel of how your business fares on its security belief and its culture all in the spirit of this article. Let’s build baseline value say at 100% as the Highest SES that you want to achieve. A strong business resilience.

Give your business 20 % SES if a CISO is in leadership and fully engaged.

Give your business 20 % SES If an adequate budget for staffing and investment in security technologies is set aside

Give your business 15% SES If a Strategic investment in appropriate security technologies, and knowledgeable staff.

Give your business 15% SES for Training and awareness programs designed to reduce employee negligence.

Give your business 10% SES if regular audits and assessments of security vulnerabilities are performed.

Give your business 10% SES for a comprehensive program with policies and appraisal of third-party risk.

Give your business 10% SES Participation in threat sharing programs. InfraGard etc

Subtract from your business 30% SES because of a Lack of incident response plans or fully tested plans.

Subtract from your business 30% SES because of an Inadequate funding for staffing and investment in security technologies.

Subtract from your business 15% SES because of frequent turnover of IT security personnel

Subtract from your business 20% SES because of Poor data retention practices

Subtract from your business 80% SES because leadership values productivity of workforce over security Belief (affirming the belief to the workforce that customers do not come to your business for security)

Subtract from your business 40% for a Lack of collaboration between lines of business and IT security in determining IT security priorities.

Well you know you are ripe for breach and recovery will be an uphill battle if you had to subtract more than 100%

This little exercise will help you understand in general your security culture.