After what you might be able to call "the year of security breaches," analysts and security personnel are realizing that the consequences of a network security breach involve much more than just stolen passwords. (Also read: 2011's Big Breaches: What We've Learned)
Until recently, relatively few companies have focused on the long-term ramifications of a network breach, such as damage to an organization's reputation. Now, some are gaining a better understanding of what can and should be done after a breach to minimize damage.
A number of factors go into whether a breach will be a minor blip in the news cycle or will have a long-term impact on the company's ability to stay in business.
The first thing to understand is what has been significantly impacted. From there, the most obvious concern is the mitigation costs. But how do you quantify the long-term public perception damage of "per record lost"? The answer is statistics. The financial analyses of breaches are now becoming statistical, and that means financial analysts at companies where these breaches are occurring are realizing that the way in which breaches are dealt with directly influences stock market behavior.
An article titled "Market Price Effects of Data Security Breaches" published in (ISC)2's Information Security Journal: A Global Perspective, uses case studies of major corporations and uncovers that compromises that could have been prevented have a much more negative impact upon stock prices than those that were unavoidable. Publicizing this study and others like it demonstrates the need for safe and smart security practices, not just to prevent a breach but to mitigate it as well.
A number of factors goes into whether a breach will be minor blip in the news cycle or will have a long-term impact on the company's ability to stay in business. Not surprisingly, consumers are very sensitive about their privacy, and any type of breach that may have affected their personal information will make them question who they are trusting with their private information.
But, believe it or not, consumers are also very forgiving and understanding. If a company can show the public that, to the best of its ability, it had prevention techniques in place before the breach, it has an adequate recovery plan, and it's taking proactive steps to mitigate the problem, the effects of a breach can be short-lived, with less of an impact on stock prices and customer loyalty. More often than not, security breaches become long-term issues in the public eye when companies have a careless approach to their security that allowed the breach to occur, do not address a breach's severity and do not have a recovery plan in place.
Of course, another major factor in the consequences of a network security breach is the industry that the company represents. Not surprisingly, each industry reacts to breaches differently, and understanding that fact is crucial in determining the overall effect. For example, security breaches targeting the banking and healthcare industries are more severe because of the sensitivity surrounding the type of data they handle. Additionally, networks related to a nation's critical infrastructure - transportation, utilities, etc. - are top-of-mind for citizens. As a result, these industries must be extra diligent in ensuring the proper security measures have been met.
Key Steps to Take
So that brings us to the real question: How can companies and IT security leaders keep a network security breach from becoming a long-term problem for their public image and stop it from negatively affecting their customer base?
- First, cover the basics. Make sure you have a specialized incident response and crisis communications team to deal with the problem when and if it occurs. For example, in 2011, Sony was breached and did not even have a chief information security officer in place who should know how to deal with the problem. How can a company expect to satisfy customers when it lacks security leadership?
- Second, companies need to be responsible. If customers notice the company is seriously addressing the breach, they are much more likely to understand that preventing breaches altogether is very difficult for any organization. Unfortunately, some are beginning to call network breaches "a cost of doing business," which is understandable. However, there is also a responsibility of doing business, and keeping customers' well-being in mind when considering security practices is not only the ethical thing to do but is just a good business decision.
Tipton is the Executive Director for (ISC)2, the largest not-for-profit membership body of certified information security professionals worldwide, with more than 80,000 members in more than 135 countries.