Share prices drop 5% after a data breach – so why is protecting information still not seen as a ‘business problem’?

Posted: 10/06/2017 - 10:10

The impact of a data breach sends shock waves throughout an entire company. Recent high-profile cybersecurity crises hitting organisations including Equifax, WongaYahooTalkTalk and the NHS have highlighted the significant, far reaching consequences data breach can have on reputation, customer trust, share price and company finances. Ponemon research study commissioned by Centrify has shown, for example, that consumers are ready to walk away from a company that fails to ensure their privacy.  

An astonishing half of all consumers (51 per cent) have been notified by a company or government body that their personal information has been lost or stolen as a result of one or more data breaches in the past two years. This has caused serious damage: 65 per cent of consumers lost trust in that organisation, and one in four has ended their relationship with the company following a security incident.

In addition to tarnishing a company’s reputation, data breaches hit shareholder value. The Ponemon report found that the stock value index of 113 companies declined an average of five per cent the day a breach was disclosed, resulting in millions of pounds of losses. They also experienced up to a seven per cent customer churn.

With GDPR and mandatory breach notifications on the horizonit has never been more important for a company to take adequate steps to secure its data  particularly if it is involved in a complex and geographically dispersed supply chain. Ponemon’s research reveals that most businesses currently lack the understanding and leadership necessary to do this, however. 

The expectations gap

When it comes to safeguarding their personal information and preventing data loss, consumers expect companies to take more responsibility than they’re willing to assume. Almost three quarters of consumers (73 per cent) believe organisations have an obligation to control who has access to their personal information, but less than half (44 per centof IT practitioners agree.   

Consumers have a distinct lack of faith in companies’ abilities to meet their expectations. Seventy per cent say privacy and security practices are very important to preserving their trust, but only 31 per cent believe organisations are able, at a high level, to protect their personal information.

The C-suite blind spot

With so much at stake, data security has become a bottom-line concern, and should be elevated to the boardroom. Senior executives must take the lead on developing and implementing a comprehensive security strategy that protects the entire business and brand, with a holistic approach that also incorporates the supply chain. 

Worryingly, however, 39 per cent of IT practitioners don’t believe senior level executives take brand protection seriously, while 70 per cent do not believe their companies have a high-level ability to prevent breaches.

IT itself also needs to better understand the link between cybersecurity and the wider implications of a breach: 71 per cent of IT practitioners do not believe that brand protection is their responsibility, while only 18 per cent allocate a portion of their IT security budget to brand preservation. Only three per cent of IT pros are concerned about falling share prices following a breach. If this is to change, it needs to be driven from the top.   

There are a number of industry best practices a business can follow to protect its image, strengthen its credibility and retain its customer loyaltyImproving cybersecurity is essential for strengthening a company’s resilience to breaches as well as its ability to recover if the worst happens. 

Appoint a fully dedicated CISOIt’s the role of the Chief Information Security Officer (CISO) to educate senior executives othe merits of investing in adequate security defences. The ideal candidate will be someone who has an established track record of moving organisations from an immature to a strong security posture, and who can bring real experience to achieving best practice.   

Invest in securitycomprehensive security strategy is central to preventing unauthorised access to and disclosure of customer data, and ensuring the confidentiality, integrity, availability and resilience of systems and services. There must be adequate budget allocated to invest in skilled staff and up-to-date security enabling technologies – particularly enterprise-wide encryption.

Invest in other resourcesStrategic investments in people, processes and technologies will also protect the organisation if a breach occurs. Companies with a strong security posture are better equipped to respond to a breach event – and the same report found that organisations in this category saw an average share price decline of no more than three per cent, with the stock value recovering after only seven days. In contrast, the stock prices of companies with a poor security posture declined as much as seven per centand this lasted on average more than 90 days. They were also more likely to lose customers. 

Plan for the worst. Less than a third of IT professionals rate their companies’ ability to prevent or resolve a data breach as highTo improve confidence in this areaan effective data breach preparedness plan is critical. This should include procedures for communicating with investors and regulators.

Build a culture of security awareness. Effective training and awareness programmes will reduce employee negligence by increasing their understanding of the risks and threats posed by cyberattacks, and ensure everyone is working together to protect against potential infiltrators.  

Undertake regular security vulnerability auditsRegular assessments will ensure that any security holes in a computer, network, or communications infrastructure are identified. Measures can then be taken to address them and guard against future breaches.

Incorporate policies and assessments for managing third-party riskAn identity and access management (IAM) system is a good starting point to audit and categorise who has access to what data and when, and exercise control over who sees what.

Collaborate across silos. Internal teams must focus on the bigger picture and open up more clear channels of communication across lines of business, working together to determine data security prioritiesCMOs and their teams are a vital component in incident response plans, for example.  

Participate in threat sharing programmes. Similar organisations can often be targeted by the same threat, so taking part in a threat sharing programme with partners and companies you trust offers a better and often faster way to detect attacksIt also helps you avoid doing work that has already been carried out by someone else. 

Data breaches have become commonplace, and are a business problem with serious consequences. The C-suite needs to be actively engaged in defending a company’s reputation and value by addressing how information is used and secured. Without strong leadership, there will continue to be a disconnect between the priorities of organisations and their customers, and lack of clarity over who is responsible for protecting customer dataThe outcome will be lost customers and millions being wiped off share prices, with no hope of a quick recovery.



About The Author

Andy Heather's picture

Andy Heather is Vice President and Managing Director for Europe, Middle East and Africa (EMEA) for Centrify.  Andy joined the company in June 2016 from HP where he led its EMEA Data Security team and has over 25 years of IT experience in sales, sales management, engineering and professional services. Prior to his role at HP Andy held a number of senior sales management roles at organisations including Tripwire, Affiniti, Opsware, NetApp, Sun Microsystems and IBM.