In my first day of sessions at RSA Conference 2018, I noticed a recurring theme: associated risk mitigation from protecting the business vs. protecting the consumer. While no organization would publicly state that their primary focus of cybersecurity is to protect shareholder value vs. consumer well-being, the unfortunate truth is that for most organizations, the bottom line is really what drives cybersecurity investments.
My knee-jerk reaction, when seeing a couple of presentations on this topic, was that it had to be wrong. How could protecting the bottom line and protecting the consumer not be the same? How could lack of consumer protection not present the greatest risk to the organization’s bottom line? If customers are unhappy or lose confidence in an organization, wouldn’t client churn inevitably lead to destruction of the bottom line?
Am I loyal to a fault?
While that seemed to be the logical association, I thought to myself, how many times has my information – in any form – been breached (that I know about, that is)? Between Panera, MyFitnessPal and Equifax alone, I realized that almost every piece of information that digitally identifies me has been compromised to some extent, including my financial data.
I, then, thought about friends and family. Between healthcare organizations, retail and social media breaches, essentially every person I know has been a victim multiple times over. The real question is, did any of us delete our accounts, campaign against the organizations or stop doing business with any of them? Unfortunately, no. Equifax still has may data, I still eat at Panera, I still track things in MyFitnessPal, and friends and family would all say the same with respect to the organizations that breached their data.
The unfortunate reality is that breaches of personal, financial or social data seems to have become so commonplace in today’s digital world. The common consumer has a short reaction cycle; it essentially manifests in irritation, concern, hope and ultimately, little to no action or sometimes with more digitally conscience consumers implementing credit monitoring (sometimes paid for by the breached organization), freezing credit, changing passwords, watching bank accounts closely, etc. Yes, the consumer may be sent a new credit card, spend a couple minutes changing passwords, or an hour or two implementing credit monitoring or credit locks, but that’s about it. It’s typically not life-disrupting for most. It’s simply an inconvenience.
Business as usual after a breach
If you look at the stock prices of publicly traded companies that have been breached, there is typically a knee-jerk reaction from the time of the press release. Stock price has a short-term dip, the breach stays in the news for a couple of days or weeks until the next big breach hits, and things return to normal. Consumers don’t leave in mass exodus for competitors or riot in the streets asking for the jobs of those responsible.
If this is the case, then what is meant by protection of the business? Obviously, there is protection of intellectual property and disruption of production, but nothing affects the bottom line more than a client discontinuing business, right?
Enter the auditor
In the eyes of a Board, the possibility of an attack is theoretical. In a sense, hackers may attack or they may not, but an auditor will always show up, and the repercussions for non-compliance can far outweigh the consequences that we’ve seen from recent consumer reactions. For the Board, regulations and the resulting consequences make their way into governance and the short-term and long-term penalties can have far reaching business disruptive possibilities.
With regulations getting tighter and tighter and penalties getting bigger, the long-term risk presented by a breach is not by the consumer, but by regulators tasked with protecting those who may not know how to protect themselves. In essence, regulators are becoming the judge, jury and executioner for the people.
When examining this further, I started to list the short-term and long-term consequences of a breach and how many were associated with what an auditor could potentially influence:
- Legal fees associated with regulatory hearings
- Communication and PR required by breach notification mandates
- Crisis team management
- Consulting or 3rd party involvement
- Loss of staff or turnover
- Establishment of identity protection for victims
- Establishment of call centers
- Class action lawsuits
- Reputation loss and good will
- Requirement to notify outside firms, including 3rd parties and business firms
- Increased security investments including measurements against policies and governance requirements possibly over years proving due diligence and marked improvements
- Higher incident, forensic and penalties for repeat violations
- Time/resources lost from strategic projects
While this list only represents some of the consequences that an auditor could influence or directly levy, the risk to the business is real and likely farther reaching than what today’s consumers present.
In conclusion, while I still think protecting the consumer protects the business, I think there has been a shift from a consequential standpoint: from the consumer who has the power and motivation to penalize, to the auditor who represents the consumer by holding businesses accountable, and ultimately affecting the bottom line.
We can help
At eSentire, we protect clients from cyber threats that could potentially end their business. Our 24x7 Security Operations Centers (SOC) are staffed by elite security analysts who hunt, investigate and respond to known and unknown threats in real time. Beyond detection and response, our clients also benefit from expert advice on how to address risks and known gaps and build a comprehensive cybersecurity program that meets even the strictest regulatory requirements.