The not-so hidden cost of data breaches. That sultry, sexy, “shh.” We’ve all seen it over and over and over again during the past month. That “shh” promised sex and security. It looks like Ashley Madison didn’t deliver much of either. Except for the sordid stories that keep Ashley Madison in the news, there is really nothing notable about the Ashley Madison breach. We are swimming in a sea of data breaches. They’ve become so routine it takes sex and scandal for anyone to notice. With so many data breaches over the past several years, you would expect companies (and governments) to do something about them. Bad publicity. Large fines. Lawsuits. You’d expect action. You’d expect changes. But no… Yes, we do get columns from horrified pundits, breathless press releases from security startups seeking funding, but, at the end of the day, no change. Just another round of data breaches. Data breaches need to matter more Ashley Madison had to have known the site was at risk. A breach at Adult Friend Finder was announced in May of this year. Sensitive information on 4 million current and former Adult Friend Finder customers was outed. Companies are (usually) rational. When there is a problem that isn’t getting fixed, it probably isn’t that big a problem. And that’s where we are with data breaches. The evidence is clear. Data breaches just don’t matter much. The worst case reported costs for the recent major breaches at Target, Sony, and Home Depot were estimated at between 0.01% and 2% of annual sales. For example, the massive Target breach cost the company $252 million. That sounds serious until you consider that the cost per breached customer was at most between $4 and $5. And that’s before insurance and tax deductions. It’s closer to half that. Spread out over years. So it’s just a blip — if you look at data breaches as IT and PR problems. But they’re not: They’re a real business problem. Soft costs, hard numbers The problem is that the math is a bit off. The reported costs are the hard numbers for the companies to “restore their IT systems” and pay fines, penalties, and lawyers. But the hard costs are small compared to the soft costs, much less the costs for their customers (a topic for another day). Back to Target Target had a terrible 2014. The massive data breach hit just in time for the holidays at the end of 2013: Approximately 10 million fewer customers in January 2014 compared to 2013. Financials for 2014 were anaemic to grim, with its diluted earnings per share shrinking by 8.8 percent (compared with 3.4 percent shrinkage for Walmart). Looking at it another way, it was a reduction of around $600 million in EBIT (-12.6 percent). Discount that loss any way you want, but those numbers are real. And they’re not covered by insurance or deductions. Real money Sorry, security folks, we need to start talking money and business. Not fear and tech. If you can’t save money or make money doing security, don’t. A well-established, traditional business like Target will likely turn around. Big box stores have eliminated a lot of their local competition, so many customers will return, eventually. They have little choice (though 2014 was a good year for Amazon Prime – coincidence?). But for a lot of businesses, a major data breach could be a company killer. Or crippler. Before the breach, Ashley Madison was busily seeking investors. I don’t think anyone thinks this incident is good for Ashley Madison. This data breach has to have notably decreased the company’s valuation. Fewer subscribers. Increased churn. Any potential investor is going to look extra closely at their operations. Not to mention distractions of lawsuits and government investigations. This is where security professionals need to focus. Stop begging your CIO for staff and equipment funding. Instead, warn the CFO of the hundreds of millions in revenue the company may lose if he or she doesn’t invest in it. It’s your turn How do you justify or judge security expenditures? Are you satisfied with your security program? Why or why not? What security topics would you like covered? I look forward to your comments below. Or feel free to email me directly. Related content opinion Bank of Personal Information: The security service you need today Data breaches are undermining your customers' confidence in your business. It is time to offer them real security. A bank of personal information could provide an essential service to businesses and consumers and be the heart of a multibillion-d By Steven B. Davis Oct 30, 2015 4 mins Data Breach Data and Information Security Security opinion Security through simplicity: The fantasy sports scandal and IoT Are the flood of exploits inevitable or can we improve security by expanding and simplifying our security architectures? By Steven B. Davis Oct 08, 2015 4 mins Cloud Security Internet opinion Shades of Greynets: The Internet of Secure Things Emerging, rich network architectures and dedicated simple security appliances can transform security for online systems. By Steven B. Davis Oct 02, 2015 4 mins Firewalls Cloud Security Security opinion How to fight denial of service - choose your battles, save your dollars You can cost-effectively fight denial-of-service attacks by focusing on finding ways to serve your customers and prospects even if your site is down. By Steven B. Davis Sep 21, 2015 5 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe