by Steven B. Davis

Will the Ashley Madison hack really bring about any change in corporate IT security?

Sep 08, 2015
CybercrimeData BreachSecurity

The not-so hidden cost of data breaches.

That sultry, sexy, “shh.”

We’ve all seen it over and over and over again during the past month.

That “shh” promised sex and security. It looks like Ashley Madison didn’t deliver much of either.

Except for the sordid stories that keep Ashley Madison in the news, there is really nothing notable about the Ashley Madison breach. We are swimming in a sea of data breaches. They’ve become so routine it takes sex and scandal for anyone to notice.

With so many data breaches over the past several years, you would expect companies (and governments) to do something about them.

Bad publicity. Large fines. Lawsuits.

You’d expect action. You’d expect changes. But no…

Yes, we do get columns from horrified pundits, breathless press releases from security startups seeking funding, but, at the end of the day, no change.

Just another round of data breaches.

Data breaches need to matter more

Ashley Madison had to have known the site was at risk. A breach at Adult Friend Finder was announced in May of this year. Sensitive information on 4 million current and former Adult Friend Finder customers was outed.

Companies are (usually) rational. When there is a problem that isn’t getting fixed, it probably isn’t that big a problem.

And that’s where we are with data breaches. The evidence is clear. Data breaches just don’t matter much.

The worst case reported costs for the recent major breaches at Target, Sony, and Home Depot were estimated at between 0.01% and 2% of annual sales.

For example, the massive Target breach cost the company $252 million. That sounds serious until you consider that the cost per breached customer was at most between $4 and $5.

And that’s before insurance and tax deductions.

It’s closer to half that. Spread out over years.

So it’s just a blip — if you look at data breaches as IT and PR problems.

But they’re not: They’re a real business problem.

Soft costs, hard numbers

The problem is that the math is a bit off.

The reported costs are the hard numbers for the companies to “restore their IT systems” and pay fines, penalties, and lawyers.

But the hard costs are small compared to the soft costs, much less the costs for their customers (a topic for another day).

Back to Target

Target had a terrible 2014. The massive data breach hit just in time for the holidays at the end of 2013:

Looking at it another way, it was a reduction of around $600 million in EBIT (-12.6 percent).

Discount that loss any way you want, but those numbers are real.

And they’re not covered by insurance or deductions.

Real money

Sorry, security folks, we need to start talking money and business. Not fear and tech.

If you can’t save money or make money doing security, don’t.

A well-established, traditional business like Target will likely turn around. Big box stores have eliminated a lot of their local competition, so many customers will return, eventually. They have little choice (though 2014 was a good year for Amazon Prime – coincidence?). But for a lot of businesses, a major data breach could be a company killer. Or crippler.

Before the breach, Ashley Madison was busily seeking investors. I don’t think anyone thinks this incident is good for Ashley Madison.

This data breach has to have notably decreased the company’s valuation. Fewer subscribers. Increased churn. Any potential investor is going to look extra closely at their operations. Not to mention distractions of lawsuits and government investigations.

This is where security professionals need to focus. Stop begging your CIO for staff and equipment funding. Instead, warn the CFO of the hundreds of millions in revenue the company may lose if he or she doesn’t invest in it.

It’s your turn

How do you justify or judge security expenditures?

Are you satisfied with your security program? Why or why not?

What security topics would you like covered?

I look forward to your comments below. Or feel free to email me directly.