19
May 2016
Early versus late data breach outcomes
Andy Harris
We spent some time looking at the outcomes for companies that were the victims of cyber breaches, comparing those who experienced early data breaches to those who experienced late data breaches.
Early breaches
When we extended the time frames, early data breach victims followed a similar six-month pattern:
- Share price took a heavy hit on announcement
- Senior Executives lost their positions
- Security became a short-term focus
- New leadership focused on getting customers back through discounts and deals
- Sales volume recovered
- Share prices recovered and improved compared to competitors.
In other words, six months after the attacks businesses were in better shape than their competitors. Companies with the weakest security experienced the first wave of data breaches. The net result was that the subsequent shake-up was just what those companies needed, and as a result, they did better in the end. Their competitors would have reviewed their security, but without the personnel churn at the top.
Customers got used to data breaches and then increasingly fed up with data breaches. They consider big companies as mostly the same, and therefore price and service returned as the key buying factors.
Late breaches
Fast forward to today, and data breach victims are suffering. Taking TalkTalk as an example, we found these key differences:
- No senior staff changes
- Share price starting to show gentle recovery, but still well below the pre-breach level (29 months later)
- Around 100,000 customers lost — and not replaced. (157,000 customer details breached)
- Profits not recovering
- The loss of between £40M (board) and £65M (press)
Retail organisations in previously good health can bounce back by heavily discounting stock. Service organisations don’t have that luxury; they don’t have stock to lean on and market forces are setting the general price level.
Organisations that rely on their reputation for confidentially suffer the worst. The ICO investigated 173 law firms regarding data breaches in 2014, culminating in this Information Commissioner Warning, warning barristers and solicitors to keep personal information secure. In 2015, Law Firm warnings were running at 15 per quarter.
There is a constant cycling of who is at the bottom of the pile security-wise. This drives the need for constant vigilance. Osirium PAM is about prevention of breaches, rather than detection. We help prevent the external attacker and deter the internal wrongdoers.
If you’d like to find out more about Osirium PAM, get in touch.