The reason companies don't fix cybersecurity
U.S. air traffic control systems are vulnerable to hackers, says the General Accounting Office. Cybercriminals target retail loyalty cards. Obsolete encryption leaves phones vulnerable.
When it comes to giant data breaches suffered by Sony (SNE), Home Depot (HD), Target (TGT), Anthem (ANTM) and many others, the vulnerability of online information is by now a fact of life. So why don't corporations plug the gaps, improve their practices and safeguard sensitive consumer data? After all, these measures would prevent potential financial loss and identity theft.
The answer: The losses involved are so small compared to the revenue that it's easier to take a chance and write off any losses should they occur. In other words, worrying about data breaches isn't worth it to them.
To understand the attitude, you need to follow the money. Benjamin Dean, a fellow for Internet governance and cybersecurity at Columbia University's School of International and Public Affairs, compared some high-profile data breach costs to the revenue of the companies. It turned out, some major breaches cost the companies that had lost the data relatively little.
Remember Target's loss of 40 million of debit and credit card numbers and 70 million other records, which included addresses and phone numbers? The company recently said the total bill was $252 million between 2013 and 2014. After $90 million insurance coverage, $162 million was left. Tax deductions brought that amount down to $105 million. The sum was about 0.1 percent of Target's 2014 revenue.
This isn't unusual. For the loss of 56 million credit and debit card numbers and 53 million email addresses to hackers in 2014, Home Depot was out only a net $28 million, after a $15 million insurance payment. That's less than 0.01 percent of the company's 2014 revenue.
And Sony's big breach at the end of last year? The company's estimate is that "investigation and remediation costs" -- expenses incurred to provide fraud protection to those whose data was compromised -- would be about $35 million, or maybe 2 percent of sales and a good deal lower than initial loss estimates of $100 million.
"One of the things we've done over the years is a post-mortem analysis of what was the impact of the data breach to the organization in a cost perspective," Larry Ponemon, chairman and founder Ponemon Institute, which undertakes annual cybersecurity studies, told CBS MoneyWatch. "In some cases the feedback from CEOs and board members was it's interesting, but it's not a sleepless night."
The reality is that although the numbers may seem large to the average person, the financial impact on companies is negligible. For example, Target has 366,000 employees worldwide. The $105 million actual loss would be $287 per employee, or about enough money to spend $1.15 on a small cup of coffee each working day for every person. For a major corporation, this is chump change.
In 2014, the Ponemon Institute surveyed 314 companies around the world. The smallest by annual revenue was on the order of $100 million. Most were multibillion-dollar corporations. Ponemon's estimate of the average data breach cost to these companies for the year was $3.5 million. The organization ran some numbers for CBS MoneyWatch. The average revenue size was $1.967 billion. That means the average data breach represented only 0.18 percent of revenue -- a rounding error.
Furthermore, not every company reported a data breach. The chance of one affecting at least 10,000 records was 22 percent over a two-year period. Using some standard corporate risk analysis, if you weighted the average breach cost by the chance of it happening and then divided by 2 to get an annual breach cost, the amount would be $385,000.
From a purely financial view, any amount spent above this to more thoroughly tighten down security would be a waste of money. The company could save the extra and more than cover the cost of an eventual breach.
And massive breaches are even rarer. The chance of losing 100,000 records in a two-year span was about 1 percent. "It's less than 0.5 percent that a Fortune 1000-size company would experience a data breach involving a million or more records," Ponemon said.
What appears in the financial statements is what catches the attention of Wall Street. There are additional costs, including brand equity, customer loyalty and word of mouth, according to Viswanath Venkatesh, professor of information systems at the University of Arkansas Walton College of Business.
"That's the real cost," Venkatesh told CBS MoneyWatch, "the fact that we're talking about Target data breach [and] we're not talking about Walmart. It has some implications for choice and customer decisions."
But are the implications significant? With greater consolidation in all sectors, fewer distinct companies are offering the same service. "If you have enough data breaches, people start to assume that all companies are equally bad at protecting data," Ponemon said. "If you say they're all equally bad, why should I suffer inconvenience if I go to another store?"
New customer acquisition can be a problem, but probably not a permanent one. After a major breach of Sony's networks a few years ago, Ponemon Institute polled consumers every 48 hours to check on the company's reputation. "It was about 171 days for the organization to recover the place it was before the data breach," Ponemon said. Less than six months after the problem, things were back to normal.
What marches out the door are copies of information. Corporations still have their own copies and can do the sort of data analysis that helps them better market and wring value from the information. So, companies don't even suffer a significant disturbance of business as usual, unless you're in the IT department trying to track down the problem.
Smaller companies are exceptions. If a business isn't a behemoth, it's likely to be hit far worse. But even they benefit from one thing that also helps the large companies: Others bear the biggest costs. By law, the financial institutions are responsible for absorbing fraudulent credit card transactions, and consumers may have to pay in time and money to straighten out problems if someone does steal their identity.
In short, don't expect large companies to tighten down everywhere possible to keep your data beyond reach. The effort is just too expensive.