How Cyberattacks & Data Breaches Damage Reputation
How Dangerous are Data Breaches and Cyberattacks for Companies?
From the media, we often hear about data breaches and reputational losses worth millions of dollars for companies across the globe.
Consider the 2019 cybersecurity breach of the Capital One bank holding company that specializes in credit cards, auto loans, banking, and savings accounts. As a result of this cyberattack, the hacker gained access to 140,000 Social Security numbers, one million Canadian Social Insurance numbers, and 80,000 bank account numbers along with people’s names, addresses, credit scores, credit limits, balances, and other information, as reported by the bank and the US Department of Justice. In addition, the company’s stock price dropped nearly 6% immediately in the after-hours trading session, losing 13.8 percent within two weeks after the leak was publicly reported.
Another data breach incident occurred in October 2013 at Adobe. Nearly 3 million customer credit card records, transaction details, and other data from up to 150 million accounts of Adobe users were affected in this incident.
The Uber leak of 2016 is also worth mentioning. The attackers gained access to 57 million customer and driver records, including passenger names, phone numbers, email addresses and where they were registered, drivers’ salaries, travel reports, and in some cases, drivers’ license numbers. Uber did not disclose the leak and was eventually fined $148 million for the concealment and for the leak itself.
What is the Impact of Cybersecurity Breaches?
Firstly, there are fines and compensations in case of a breach, but that’s not all. According to the Forbes Global Study on the Economic Impact of IT Risk conducted in association with IBM, in the event of a data breach, the value of shares immediately drops by 5% at the time the incident is disclosed. Further, if the company, in which the leak occurs reports the leak and quickly responds to the data breach, it is able to restore the previous share price in an average of seven days. If the company does not respond on time and does not notify users about the ongoing efforts to recover the share price, it takes them more than 90 days to recover. There is a dependence between the fall in the value of shares and the speed of return to the previous level for incidents related to security breaches.
If a security breach occurs at a high security company, the share price falls by no more than 3% at the time the incident is disclosed and in about 90 days, the stock price exceeds the pre-crisis level. In case of a leak at a company with a low level of security, the share price recovers in more than 90 days.
How Cyberattacks Damage Reputation
If it is impossible to get access to a service, the client loses trust in the company. It is especially true for financial institutions. This may result in the loss of customers, as they may switch to competitors. Trust is difficult and time-consuming to gain and maintain, but is very easy to lose. When clients use your service, whether it be a product ordering system, cloud storage, computing power, or mobile communications, they trust you with their personal data and expect that their data be protected and the service be available.
In the event of a hack or leak, trust in the reliability of the company is undermined. As a result, new customers stop coming and the old ones begin to refuse the services you offer. Information about incidents is distributed via the Internet, which means that almost instantly it becomes known about the denial of service for an application. And no one cares, whether the application is unavailable due to hacker attacks or because of the poor service performance. Everyone expects resilience from the service, if that’s what you promise.
According to the IBM Global Study on the Economic Impact of IT Risk, downtime can be categorized into minor with an incident time of about 19.7 minutes, major that can last up to 442 minutes, and medium with a downtime of around 111 minutes. The same study shows that minor incidents are three times more likely than major ones.
The price of a one-minute failure for a minor incident is lower than a minute of a major incident (about $53,223 for major, $32,229 for minor, and $38,065 on average). In aggregate, the estimated cost of a failure for a minor incident is up to $1 million and for a major incident from $14 million to $100 million, the average cost being $4 million. The evaluation criteria are cost of users’ idle time and lost productivity because of downtime or system performance delays, cost of forensics to determine the root causes of disruptions or compromise, cost of technical support to restore systems to an operational state, cost associated with reputation and brand damage, revenues lost because of system availability problems, and the cost associated with compliance or regulatory failure. It is worth noting that although the cost of consequences of minor incidents is much lower than of major incidents, the high frequency of minor incidents leads to higher costs over time.
Unaware does not Mean Protected
Small and medium-sized businesses are an easy target for hackers, because these enterprises have less stringent protection and fewer resources to implement cybersecurity. They are less aware of cybersecurity threats and often lack a cybersecurity strategy. The consequences of cyberattacks for such enterprises are often more devastating. According to recent studies, about 60% of enterprises shut down within six months after a cyberattack.
How to Prevent Cybersecurity Breaches
First of all, you need to start duplicating data. Backups will help in the event of a natural disaster when a building or equipment is damaged, as well as in the event of a cyberattack. This way, it is possible to increase fault tolerance.
Regular Cybersecurity Training
Human errors are one of the biggest threats, if not the biggest threat. If an employee is not aware of cybersecurity measures, you should not expect him or her to be cautious with a suspicious link or a random flash drive. Likewise, in case of a cybersecurity incident, an employee probably would not be able to respond properly.
It is necessary to assess the cybersecurity state of both networks and applications. Penetration testing and vulnerabilities help identify weaknesses, inconsistencies, and shortcomings, as well as give an idea of the company’s level of cybersecurity. Following a cybersecurity audit, a report that contains recommendations for eliminating weak points is generated. Repeat audits are also indispensable.
Employee Access Restrictions
Damage from a compromised employee account can be significantly less, if the employee has access only to the necessary parts of the system, not all. Access should be revoked over time. Admin accounts also should not be left omnipotent and with default passwords. After termination of an employee’s employment, it is worth deleting his or her account and revoking access to company resources.
Any software may have security vulnerabilities. Hence, it is always necessary to check the relevance of the software version you use to reduce the risks of exploiting legacy vulnerabilities. Software vendors are not required to provide security updates for unsupported products.
This is the first part of our cybersecurity series that I prepared in cooperation with my team, namely Maksim Martsinkevich, our Team Lead, and Artyom Litvin. Stay tuned to read about zero day attacks.