By Cindy Waxer on April 16th, 2006
IT security spending is on the rise again. According to forrester Research, businesses across North American and Europe will spend 7.91 percent of their IT budgets on security, compared with 7.75 percent in 2006.
Certainly, there’s plenty of griping to be heard over the high price of intrusion detection, server management and virus protection tools. Not to mention the exorbitant costs of IT security training and awareness campaigns. Yet, these price tags pale in comparison to the financial punches companies face in the wake of a security breach.
“It really depends on the type of company you are," says Paul Stamp, a Forrester Research senior analyst. "If you’re heavily regulated, then the fines can be pretty hefty. If you’re pretty high profile, then the cost of getting new customers can really be tough.”
Think you’re safe? Check out these real-world examples of cutting corners on IT security – the costs and the consequences.
A Bug’s Financial Sting
There was nothing warm and fuzzy about the "ILOVEYOU" virus that struck some seven years ago. According to Computer Economics, the virus and its variants caused $6.7 billion in damage in the first 5 days alone. In fact, the 2006 CSI/FBI Computer Crime and Security survey ranks virus contamination as the leading cause of security-related losses, resulting in a whopping $15,691,460 in losses among 313 respondents.
As far as corporate America is concerned, the appearance of an uninvited guest is more than rude, it’s downright expensive. Just ask the executives over at TJX. In December 2006, the US retailing giant detected a hacker intrusion against its credit card transaction processing system. Hackers stole information from 45.7 million customer credit and debit cards. Data security vendor Protegrity has crunched some numbers and estimates that the breach will cost TJX nearly $1.7 billion. The company is already facing a number of legal claims from customers and shareholders affected by the breach.
While many types of security breaches are on the decline, losses from laptop or mobile hardware theft actually increased from $19,562 per respondent in 2005 to $30,057 per respondent in 2006, according to the CSI/FBI survey. Total losses among 313 respondents amounted to $6,642,660 last year.
Despite these losses, the Ponemon Institute reports that 81 percent of companies reported the loss of one or more laptops containing sensitive information last year. What’s more, Symantec reports that the theft or loss of a computer or other data-storage medium made up 54 percent of all identity theft-related data breaches in the second half of 2006.
Viruses, hackers and laptop theft may account for the majority of today’s security-related losses but identifying root causes is only half the battle. Many companies fail to recognize the factors contributing to the high price of these security breaches.
Whether it’s collecting forensic data, notifying affected customers or responding to employee concerns, cleaning up after a security breach can drain precious IT resources and greatly impact employee productivity.
“The cost of that forensic analysis can certainly add up in addition to the lost time and lost productivity as a result.," warns Oliver Friedrichs, a Symantec Security Response Director. "If you have critical systems that have been compromised, certainly the risk to your bottom line could be fairly substantial.”
In fact, according to a Ponemon Institute survey, the cost of diverting employees from every day tasks to managing a data breach increased 100 percent last year, from $15 per record in 2005 to $30 a record.
Forget about proprietary information. One of the worst things a company can lose to a hacker is its hard-earned reputation. Rebuilding a brand can cost millions in public relations consulting fees, customer outreach efforts and advertising campaigns. Not to mention the high price of defending a company in the face of liability suits. After the U.S. Department of Veterans Affairs lost 26.5 million personal records in a data breach, a coalition of veterans groups filed a class action seeking $1,000 in damages for each person, a payout that could eventually reach $26.5 billion. And then there are the intangible costs associated with a tarnished reputation – the high price of earning back a customer’s trust.
Uncertain if a security breach has shaken the public’s confidence? One telltale sign is a company’s stock value. According to a 2003 study, "The Economic Cost of Publicly Announced Information Security Breaches," published in the Journal of Computer Security, publicly held companies suffer a 5 percent stock drop in the wake of such a disclosure.
“A data breach could have a drastic negative impact on your stock value,” Friedrichs says.
While stock prices have been known to rebound, there are always exceptions. In late 2005, ChoicePoint revealed that criminals had stolen personal information on over 163,000 consumers. The day the breach was reported, the data broker’s stock value fell 3.1 percent. By late February, the company’s stock value had plummeted nearly 9 percent. Nearly two years later, the stock is about 20 percent lower.