Economic risk often trumps security measures

When Yahoo was hit with a $35 million fine earlier this month, it felt like a win for consumer rights advocates and those affected by the 2014 breach – now thought to be one of the world’s largest.

The penalty, doled out by the US Securities and Exchange Commission (SEC), was allocated for the company’s failure to disclose the incident to its shareholders – details that took two years to reveal, with multiple reports of fraudulent identities created as a result.

“We do not second-guess good faith exercises of judgment about cyber-incident disclosure,” said Steven Peikin, an SEC enforcement co-director, announcing the Yahoo forfeit in a recent press release.

“But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted.

“This is clearly such a case.”

While charges may point to the SEC’s increasingly proactive stance on security misconduct, the end result feels more akin to a federal slap on the wrist for the recently swallowed-up web provider, now known as Altaba after it offloaded its core digital assets to Verizon last year at bargain price.

“Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors,” said Jina Choi, director of the SEC’s regional office in San Francisco, outlining the effects of what turned out to be three breaches in Yahoo security.

Now, with Verizon fronting the SEC bill and forbidding Yahoo account holders from taking any class action lawsuits – or risk the loss of services – questions have been raised on whether incurring the cost of a data breach is enough to motivate companies toward a business model aimed squarely at protecting consumer data.

According to the UK’s Department for Digital, Culture, Media & Sport (DCMS), the majority of businesses still have no standard cybersecurity policy in place, despite the numerous public scandals that have befallen on the likes of Equifax, Facebook, and indeed Yahoo.

The DCMS found there was a lack of incentive for businesses to invest in cybersecurity measures if it meant a spike in downtime or a break in enterprise continuity, with companies spending an average £3,580, regardless of their size.

A recent report by UK cybersecurity firm NCC Group reiterates these concerns, highlighting what has become a common industry practice of putting cybersecurity on the backburner in favor of risking a breach, which is assumed to less expensive in the long haul.

With the need to change this narrative growing as the occurrences of data breaches rise – up 40% worldwide, recorded by ID Theft Centre in 2016 – NCC measured cost of implementing security measures, compared with the likelihood of a business having its infrastructure exploited.

Taking the Ponemon Institute’s model of calculating a breach down to the individual data record, which NCC states as £120 per record in the UK, the report found that companies with over 6,000 records face economic loss without the appropriate cyber defense in place.

Bigger financial consequences were experienced for insecure companies that had a higher turnover. Losses increased from £1.5 million to £10 million for companies with a turnover between £5 million and £9.9 million, and over £50 million, respectively.

The longer it takes to detect and contain a breach also drove up costs, but businesses with a small number of records or low annual turnover still saved money by ignoring security and dealing with damages following a cyber incident.

Simply taking a stock market hit and paying a bill may no longer be enough for a company to recover from a data breach, as it becomes clear that the loss of consumer trust far outweighs any financial penalty.

Nick Dunn, managing security consultant at NCC Group, said: “This analysis demonstrates that cyber resilience when it comes to the security of sensitive data needs to be a priority for all businesses, and it is important to note that this analysis only takes into account the impact of one data breach.

“Even though one breach alone can cause a lot of damage, organizations should also have solid procedures and cyber incident response plans in case they face repeated attacks.”

Dunn added that with the EU’s General Data Protection Regulation (GDPR) coming into force later this month, businesses will now face higher costs for failing to protect consumer data – up to 4% of a company’s annual turnover.

He said: “With the amount of sensitive data held by organizations only increasing in size, it is crucial for all businesses to ensure that they have considered every possibility and taken tangible steps towards enhancing their security posture.”