Breached firms stunned by 5% stock decline: What CISOs need to do differently
13 September 2017 |
By Bill Mann, senior vice president of products and chief product officer, Centrify
Equifax is just the latest in a long line of high profile breaches that have occurred over the past 12 months but have you ever wondered what the true impact of a data breach is on an organisation’s share price? Up until now, there’s been little hard evidence to highlight just how devastating the financial and reputational blow from a breach can be.
A new Ponemon research study on the impact of breaches commissioned by Centrify, has revealed the far-reaching consequences of data security breaches across an organisation - including sales, marketing and IT - and the significant negative effect on company finances, shareholder value and brand reputation. The research included also included analysis of 113 publicly traded benchmarked companies that had experienced a material data breach. Their share prices were analysed for thirty days prior to the breach and for 90 days following the breach and revealed startling results in that they experienced an average stock price decline of 5% resulting in millions of pounds in losses.
Just as telling was the share price recovery time which resulted in vastly different consequences based on the security posture of the company. Companies with a high security posture had a stock price decline of no more than three per cent following disclosure of the breach and after a further 90 days the share index value showed a gain of three per cent above what the stock price was before the breach. Companies with a high (superior) security posture show a quick reaction to the data breach event, and share value recovers after only seven days.
READ MORE: Equifax data breach: all you need to know
The same cannot be said for low security posture companies’ whose share prices didn’t fully recover after a breach and experienced a stock price decline after the data breach disclosure which appears to be long lasting, e.g., more than 90 days.
Spearheaded by the CISO, it’s clear that organisations must get their cybersecurity posture in order ahead of the GDPR deadline in 2018 which will mandate breach notifications. With no more opportunities to sweep incidents under the carpet now is the time for companies to implement a comprehensive security strategy focused on people, process and technology. Having a high security posture provides the ideal foundation to GDPR compliance because from a cyber security perspective, it’s all about following industry best practices and preventing unauthorised access to and disclosure of your customer data and ensuring the confidentiality, integrity, availability and resilience of systems and services.
Data breaches have become commonplace and those who fall foul of them are not defined by either a high or low security posture. Just about any company can experience the loss or theft of sensitive and confidential information but the difference is that those possessing a strong security posture are more resilient so the impact for example on share price is less likely than those with a weak security posture.
So what can be done to improve organisational security? By following the criteria that constitutes a high security posture companies will be taking some fundamental steps in strengthening their resilience to breaches as well as their ability to recover should the worse happen
Ensure there is fully dedicated CISO
When organisations reach a certain size employing a CISO is a must. It should be someone who has an established track record of moving organisations from an immature to a strong security posture and who can bring real experience to achieving best practice.
Ensure that there is adequate provision allocated to invest in skilled staff and up-to-date security enabling technologies particularly enterprise-wide encryption both of whom will be a strong weapon in your armour should a breach occur.
Training and awareness programs
Effective training programmes reduce employee negligence by educating them to understand the very real risks and threats posed by cyberattacks and that everyone is working together to protect against potential infiltrators.
Regular security vulnerability audits
Undertake regular assessments which ensure that any security holes (vulnerabilities) in a computer, network, or communications infrastructure are identified so that adequate measures can then be taken to address them and guard against it happening again in the future.
Manage third-party risk
Having a comprehensive program with policies and assessment to managing third party risk and an identity and access management (IAM) system is a good start point. Categorising who has access to what data and when and ensuring control over who sees what and that there is an audit to accompany it is essential.
Participation in threat sharing programs
Taking part in a threat sharing programme with partners and companies you trust offers a better and often faster way to detect attacks particularly as similar organisations can often be targeted by the same threat. It also stops you from you from doing work that has already been carried out by someone else.
It is the role of the CISO to educate senior level executives as to the merits of investing in adequate security defences. Similarly security must be a Board Level topic and board members should be asking on a regular if the company has a strong security posture and is able to meet the criteria set out above. There can be no denying the very severe penalties that can be suffered as a result of a data breach and while organisations may view them with some inevitability failure to invest means a weakened security posture which could result in millions being wiped of share prices with no hope of a quick recovery.
Latest posts by Sunetra Chakravarti (see all)
- Data breaches reach all-time high as new environments create more attack surfaces - 7th February 2018
- Petya, NotPetya, Good Rabbit, Bad Rabbit… the rise of ransomware - 2nd February 2018
- Pharmaceutical industry and GDPR: What to do next - 31st January 2018
- TEISS2018: On the internet, nobody knows you are a fridge - 30th January 2018
- Why does a privilege account breach translate to ‘game over’ for a business? - 26th January 2018