We are all highly aware of the vital role information security plays within our businesses in order to prevent reputation-shattering data breaches, but what about its effect on our bottom line?
At the end of the day, businesses are run in order to make money, and hopefully once all costs of sales, wages, other outgoings and taxes have been deducted from a company’s accounts, the bottom line will show a healthy net profit. That is, of course, not taking into account any unforeseen expenses. If a business were to incur a data loss, for example, the cost and therefore the effect on its bottom line could be phenomenal.
Cost per breached record
According to two 2011 Ponemon Institute reports studying UK- and US-based businesses, UK organisations were found to lose an average of £1.9 million annually from breaches, with losses suffered by US companies put at $7.2 million. The average cost per compromised record in the US following a data breach was estimated to be $214.
To put this into perspective, the recent breach of Amazon subsidiary Zappos saw the records of some 24 million customers compromised. On an even larger scale, the infamous attack on Sony’s Playstation Network compromised data from 77 million users. How many companies’ bottom lines could afford to outlay $214, 77 million times? The gaming giant itself saw profits fall, with its share price dropping by 55% after the hack.
These losses from a breach can be attributed to several factors. An affected company may lose business because the resources that have been breached are essential to business continuity; or because crucial IT systems must be shut down to repair the problem – which could also entail costly labour charges for IT professionals.
Investigations into the reasons for a breach are another costly expenditure, particularly if it is a malicious attack or insider threat that would warrant legal overheads to prosecute a perpetrator. If customer data is compromised, there is also the question of how much it would cost if litigation were sought.
Add to this the cost of breached customers almost certainly taking their business elsewhere, and you can see how an organisation’s bottom line could be affected. And this is without factors that cannot have a specific cost attributed, such as reputational damage and loss of potential business.
It comes as little surprise then, that a report from PwC into the future outlook for the technology deals market cited cyber security as a major factor when considering mergers and acquisitions. A heightened consumer awareness of threats to their data was offered as one of the main reasons that businesses will “continue to seek acquisitions that can rapidly differentiate their offerings with enhanced levels of security.”
The report, published in January 2012 references a rise in cloud computing, increasing use of mobile devices to access the internet and tough privacy legislation as just some of the reasons for this move. And this is not only within the technology industry.
The PwC report extends its gaze to the defence sector, which it explains is expanding its offerings to incorporate cyber security. You only have to think back to the attacks over Christmas on US Department of Defence suppliers Stratfor and Special Forces.com to see all too well how important this development could be.
The bottom line
Incorporating an integrated security awareness programme into a business’ regular outgoings may raise expenditure in the short term, but unless employees are educated in the importance of secure behaviour, the adverse effect on a bottom line could be far greater. Plus, and as demonstrated in the technology industry’s plans for 2012, enhanced levels of security could in fact ensure enhanced levels of profit.