It’s no longer a matter of debate as to whether companies will be hacked or whether our critical infrastructure is vulnerable to cyber attacks—we know that both things are true. But after a year of well-publicized hacks at Sony, Home Depot, Target, Anthem and others, many corporations have not improved their cybersecurity practices, properly trained their employees, or safeguarded sensitive consumer data—all of which would help bolster their cybersecurity posture. The question is: why?
The answer is straightforward—the losses involved are relatively small compared to the costs associated with strong cybersecurity measures, and many companies have concluded that the cost-benefit analysis tilts in the favor of doing nothing or very little. In other words, these companies seem inclined to disregard cybersecurity until customers decide to take their money and business elsewhere.
Take the case of Target, for example. This week, they agreed to pay $10 million under a proposed settlement in a class-action lawsuit relating to their massive data breach from 2013. Nonetheless, the company recently said that the total bill for the breach was approximately $252 million, and that after $90 million in insurance coverage and other tax deductions, their total cost was roughly $105 million—or about .1% of Target’s 2014 revenue. Although these numbers may seem large to the average person, the costs barely made a dent in Target’s revenue stream, even if their CIO and CEO had to resign over the breach.
On top of that, Target will be required to adopt and implement data security measures as part of the settlement, such as hiring a CISO, maintaining a written information security program, and providing security training to employees—all of which are cybersecurity measures that any company—especially a large company—should already have had.
In short, from a purely financial perspective, investing in cybersecurity may seem like a waste of money to some companies. Instead, these entities prefer to save the extra money and perhaps use it to cover the cost of a breach if one occurs. (Smaller companies are exceptions—breaches like the one at Target would likely topple them). From a holistic perspective, however, companies should start paying attention to all the additional—sometimes hidden—costs of a breach, including brand equity, customer loyalty, and company reputation, if they want to continue to prosper and retain customers in the long-term.
In the meantime, Target is supposed to pay individual victims up to $10,000 in damages—although it will most likely end up just reimbursing victims for “lost time,” as court papers say. That might include the time victims spent getting cards replaced and calling their bank, and this is only if customers can prove they were damaged by the data breach. If the victims of the Target breach conclude they received the short end of the stick on this, they may just choose to shop elsewhere in the future—and that’s an added cost Target should consider as well.
Target To Pay $10 Million to Settle Lawsuit from Massive Data Breach | Huffington Post
The Reason Companies Don’t Fix Cybersecurity | CBS Money Watch
Target Data Breach Victims Could Get Up to $10,000 Each from Settlement | The Washington Post