Data breaches are now, unfortunately, essentially inevitable for companies big and small. So when Yahoo! Announced their second hack in four months, the latest one exposing over one billion(!!!) user accounts, it was met with shock. Partially because their first breach had already exposed 500 million user accounts, and partially because nobody could believe that Yahoo! had well over one billion accounts when there are only an estimated 3.2 billion internet users in the world.
Any company can get hacked. So the fact that Yahoo! was hacked wasn’t much of a revelation, rather all the ruckus was related to the size of it. In general, data breaches happen so often they barely make the news, and only the biggest ones gain real traction. For example, if I gave you a quiz and asked you to tell me which of Snapchat, Dropbox, LinkedIn, Oracle, Cisco, and Verizon were subject to data breaches in 2016, could you pick the right one(s)?
Unless your answer was all of the above, you’d be wrong.
The Cost of a Data Breach
The point is that it’s a Sisyphean task for companies to create an impenetrable enterprise security system. Everyone from the U.S. Department of Justice to your local Wendy’s (maybe) has been hacked, so what’s the point? Why even spend the money on all these improvements? Just deal with the fallout when it inevitably comes.
Well, that fallout commonly means a $7 million bill.
According to The Ponemon Institute’s 2016 Cost of Data Breach Study (sponsored by IBM), that’s what the average breach costs American companies. This figure takes everything under the sun into account, from hiring forensic experts to determine the cause of the breach, to projecting customer fallout resulting from the hack.
And of course the high end of these costs is… well honestly they can get insane. Anthem’s 2015 breach of 80 million personal records is thought to have cost the company well over $100 million, while Target says their 2014 credit card hack set them back to the tune of $162 million. And that’s before any lawsuits resulting from these breaches are decided.
No matter how big a company is, nine figure costs associated with breaches has them paying attention. But these costs aren’t big enough to force meaningful changes.
While companies won’t sit back and do nothing, they’re not yet financially motivated to take serious action. While $100+ million fallout is a lot of money, Anthem had revenues of over $79 billion in 2015, and Target had revenues of over $73 billion in 2013. This means their data breach related costs amounted to considerably less than a percent of their yearly revenues. Meaning that these nine figure breach costs aren’t actually that scary, because at the end of the day, they barely affect the bottom line.
Where to Go from Here
Data breaches, enterprise security and privacy are all popular topics. There’s a lot of good reporting out there on all of these subjects, and the big breaches receive a substantial amount of media attention. But that’s where the impact seems to stop. Consumers might be distressed by a data breach, but in most cases they won’t really change their patterns. The story hits the news, people gasp at the breach, and then seemingly forget about it. Or at least our collective wallets do.
And the thing is, although we’ve spent a considerable amount of time in this post bemoaning the inevitability of data breaches, there are steps companies can take. They aren’t completely helpless. For example, Yahoo! didn’t realize they had a one billion plus level account breach until law enforcement brought it to their attention. There are tools that that use document level audit trails to identify suspicious behavior, therefore giving the company the ability to nip a potential breach in the bud, before it swells to ONE BILLION ACCOUNTS.
Sorry, just still can’t believe Yahoo! even had that many accounts to begin with.
There are tools out there that can help companies mitigate the damage caused by breaches, but right now they aren’t very well incentivized to seek them out. Whether it’s consumers beginning to change their buying habits based on how companies handle their consumer privacy and security decisions, or the government stepping in to hold companies accountable, one way or another something has to give if anything is going to change.
Otherwise, it’s just a matter of time till the next Yahoo! rolls around.