What Does it Look Like? Anatomy of a Data LeakStartups and SMBs undergoing a digital transformation aren't the only ones having issues. Yahoo and Amazon have experienced record-breaking breaches that cost the companies millions of dollars and damaged their reputations. One of the hardest hit industries is health care, where millions of patient health records are infiltrated each day.
Share Price: How Low Can You Go?We know that a small business can be devastated after a data breach even if it never becomes public knowledge, but what about the effects on larger publicly-traded enterprises, specifically when it comes to the underlying valuation of share price? The UK-based research firm, Comparitech, performed an analysis of 24 companies. Each is publicly traded on the NYSE, and each experienced a data loss or exposure of at least one million public records. The companies analyzed included Apple, Equifax, Experian, Sony, Under Armor, Vodafone, T-Mobile, JP Morgan Chase, Dun & Bradstreet and other giants in their particular industries. This report was released in August 2018 and extended backwards over a three-year period. Comparitech used the NASDAQ index as a benchmark for comparison against the individual NYSE companies. The key takeaways from this analysis are as follows:
- As a long-term effect, company stock underperformed when compared to its previous value. The first year after a breach saw an average share price increase of 8.53% but sink against the NASDAQ by -3.7%. After two years, the prices of shares increased by 17.78%, but it continued to lag the comparison index by -11.35%; this trend continued for the duration of the study.
- The sweet spot for market devaluation was about two weeks after a breach, with an average share dip of 2.89% at that point and a drop against the NASDAQ of about 4.6%.
- The biggest decrease was experienced by finance and banking companies, while the least affected were in the healthcare industry.
- Companies that leaked financial data like credit card or account numbers experienced higher losses and took longer to bounce back than those that exposed less sensitive data.
- Most companies began to rebound 30 days after the leak was made public. However, their performance was still diminished, and it took several years to make it most of the way back.
Beyond the Stock MarketDeloitte also studied the impact of a data breach on companies after cyber attacks. Their report analyzed 14 factors that determine the full impact of a massive compromise, including customer notification and post-breach data protection, regulatory compliance issues, loss of intellectual property, reputation, and stock value and the scope of operational disruption. Many losses were intangible. For example, a US-based health insurance company worth more than $60 billion and with 50,000 employees planned to raise one billion dollars to acquire a health care system. In May of 2018, a laptop containing 2.8 million patient records was stolen from a vendor's office. The incident led to a complete shutdown of doctor access to patients' insurance information and resulted in nearly $1.7 million in losses based on Deloitte's impact scale. Given the cost and long-term effect on stock prices, should your company publicly disclose a data leak or hack? The short answer is "Yes." Few things shake consumer confidence, and stockholder trust, more than a lack of transparency, especially when it comes to data security. If the Google+ breach proves nothing else, it demonstrates the impact on reputation and trust that can occur when a company that should know better behaves badly. Google sat on that breach for months. They only went public when they were outed by the Washington Post. As a result, the online platform was closed. In the age of the internet, when it seems like everyone is a journalist or a whistle-blower, it's better to come clean and manage your reputation up front than to be exposed in the media and try to contain the damage later. Better yet, prevent problems in the first place.
Best Practices to Avoid a Stock Market NightmareThe internet has made it easier for companies to provide a higher level of service in an instant. The key to instilling that level of loyalty trust in your customer is through transparency and a demonstrated concern for security. That means sitting down with managers, supervisors and department heads to assess security concerns, drawing up a plan of action, codifying it and making sure every employee is aware of procedures and then performing follow up to refine your approach. Once a year, you should evaluate how effective your plan has been and retool as needed. In addition to formal security measures, there are practical steps you can take to secure your business information. What follows is the bare minimum a business should do to improve security and retain a good reputation. As your company grows, you can invest more into cybersecurity and upgrade as needed.
1. Encourage Your Staff to Become Security SavvyMany breaches aren't the result of intentional penetrations at all. More than 80% come from unsafe data handling practices and poor password management. The latter which can be strongly mitigated by a password manager that suggests, stores and fills in random character combinations and executing a two-factor authentication (2FA) strategy. The bottom line here is frequent employee training about how to NOT be part of the 80%. Just do it.
2. Create Strong BarriersLike password protection, firewalls and a strong security suite create a defensive perimeter around a network that criminals have to penetrate before they can do mischief. Powered to an ever-growing extent by artificial intelligence and machine learning, the technology of firewalls has taken a massive leap forward in recent years when it comes to recognizing and shutting down malware, and you should expect that to continue. When it comes to the offensive side of cybersecurity, the one tool every individual and organization should deploy is a VPN (virtual private network). This technology creates an anonymous, encrypted tunnel between your network or device and the open internet. Data can pass through this connection without fear of being observed or stolen by snoopers.
3. Be ProactivePractices like security audits and pen testing provide a comprehensive overview of where your company stands. Publishing your security protocols - without giving details to hackers - instills confidence in your company among employees and the public.
4. Keep Technology CurrentIn this day and age, it’s bad strategy to skimp on your investment in advanced tech. You’ve heard it before, but we wouldn’t say it if it weren’t true - it's not an expense, it's an investment.
5. Protect Your NetworksDon't use unsecured servers and devices. An affordable private network is a cost-effective way to incorporate encryption into your cybersecurity plan. Choose a company that's been around long enough to have testimonials from loyal customers and the results to back them up.
The Bottom LineFrom the preceding discussion we see that, though alarming, the negative effect of a significant data breach on the underlying stock price of a company probably will not ruin the organization. There will be an expected short-term share price loss that might make a few investors squirm and take a few years to recover from. One thing these giant companies have going for them is that they are tip of the tongue brands. The stock-buying public probably has a tough time believing these business titans wouldn’t fix a cybersecurity problem once they became aware of it. Additionally, where else will you get your iPhone or Under Armor gear? They’ve sort of cornered the market on the product they peddle. Lastly, there’s something to be said for the forgiving nature of the buying and the investing public, especially when the company is too big to fail.