Major data breaches are a nightmare that can stop CEOs from getting to sleep. But while a drop in share price is an almost inevitable consequence, having adopted a stronger data security posture across the enterprise can mitigate the impact by as much as 4% or $3.90 compared to breached organisations where data security was poor, according to research commissioned by Centrify from Ponemon Institute.
In a detailed study, the share prices of 113 companies which had experienced a data breach were tracked from 30 days before the event was announced to 120 days afterwards. The security posture of the businesses involved was assessed, looking at dimensions such as presence of a chief information security officer, training programmes and audits, to generate a score for security effectiveness (SES). Of the sample, 57 companies were rated +0.67 and 56 were rated -0.71.
For high SES firms, stock price went down no more than 3% following the breach, recovering within seven days and actually climbing to an average index 3% above its previous position. Among low SES firms, there was no such recovery - share prices dropped by as much as 6.9% and the effects appeared long lasting. The average post-breach fall for all companies was 5%.
“I am not surprised that stock prices go down, or that companies with a better data security organisation, technology and management do better,” said Bill Mann, chief product officer at Centrify in an interview with DataIQ in May following the publication of the report. “But I am surprised about the disconnect between people working in organisations in IT and marketing compared to what consumers believe they should be doing.”
This dimension of data breaches was explored in the study via research among 313 IT professionals, 292 CMOs and 405 consumers. Four in ten of those in IT worked in a business that had suffered a data breach, while 23% of CMOS did, but 51% of consumers said they had received a data breach notification in the past two years. For consumers, the impact was direct - 65% said they lost trust in an organisation, while 27% claimed to have ended a relationship with a business as a consequence, with 11% suffering fraud or identity theft.
But there was little agreement between IT and marketing about who is responsible and how to respond. Among CMOs, 76% said a data breach would diminish brand value - only 43% of IT professionals agreed. In IT, 71% said protecting brand value is not their job - only 35% of CMOs agreed. For consumers, 70% say data security is important to preserve their trust.
“CMOs and CISOs are not talking to each other,” said Mann. “As you go further down the organisation, IT people are not talking about the brand, they don’t see the impact on it of what they do day-to-day. it is all about mindset and it is not just about information security software.”
Commenting on the findings, Dr Jessica Barker, an independent cyber-security expert, told DataIQ: “It can be really challenging because organisations work in silos and cyber-security is seen as an IT issue. Brand and marketing have a part to play, but they don’t come together and talk enough. They have different perspectives and levels of understanding about the responsibilities which everybody has to safeguard data.”
Mann pointed out that this culture clash exists at a fundamental level of psychology. “Geeks tend to work in IT because they don’t want to interact with people, whereas marketing is full of people who are very outgoing and want to interact. The challenge is telling a data security story in a language everybody will understand,” he said.
For the information security industry, something of a paradox is emerging around how to reassure consumers that their personal information is safe. “In the banking sector, companies don’t tell the public what software they use for security reasons. In my opinion, that is going to change,” said Mann. “They are going to have to start thnking very carefully about how they explain what they are doing to pretect information and privacy.”
The experience Barker has gained consulting in the defence sector has shown her how a strong data security culture can be created, although she acknowledged that it has an in-built disposition towards protecting sensitive information. Nevertheless, the key is to make data security relevant to everybody’s daily experience so that it becomes part of the organisational culture. As she said: “Don’t just say it, live it.”
(The full report can be downloaded here)