A recent study by Benjamin Dean (a fellow for internet governance and cybersecurity at Columbia University) of corporate financials from major retails shows that when it comes to investments in cybersecurity, it makes better short-term financial sense to absorb the costs of a breach than invest in robust cybersecurity programs. These findings support speculation by many industry observers (including me) who have said for years that retailers do understand cyber risks, but do not see the financial incentives to do anything about it.
The study shows that recent breaches at Target, Home Depot and Sony – while costing hundreds of millions, were essentially negligible to the company’s bottom line due to the overall company’s revenue and the amounts offset by cybersecurity insurance.
Among the report’s findings:
Target’s 2013 breach affected 40 million credit and debit cards and 70 million personal information records. It reported the gross expenses were $252 million. Once the insurance reimbursements and tax deductions were accounted for, the net losses totaled $105 million–equivalent to 0.1% of 2014 sales;
In 2014, Home Depot had a breach that affected 56 million credit and debit card numbers and 53 million email addresses. The home improvement retailer incurred net expenses of $28 million after an insurance reimbursement of $15 million. Those expenses are less than 0.01% of Home Depot’s 2014 sales; and
Sony reported the November 2014 hack into its computer systems–which exposed Social Security numbers and personal emails–would cost $44 million. However, estimates now put the impact at $15 million in investigation and remediation costs. These losses represent 0.9%-2% of Sony’s total projected sales for 2014.
This further reiterates my belief that the only way change will happen is if consumer demand higher levels of security from retailers. As we are seeing right now in Indiana and the public outcry over RFRA – when the public speaks up, they can move mountains. Cybersecurity is no different.
ICIT has recently added the Retail sector as one of its areas of focus for upcoming legislative briefings due to requests from the legislative community. If there is anyone out there interested in contributing please read more about our current initiatives and we look forward to hearing from you.
Senators Baldwin (WI) and Thune (SD) reintroduced their “Quality Data, Quality Healthcare Act” today, which aims at providing greater access to medicare and medicaid claims by modernizing and reforming the Qualified Entity (QE) program, which according to the Senators is too restrictive in its current form with respect to which organizations can participate and what QEs can do with the data once they are in the program.
The new legislation would make two major changes to the QE program:
Allow QE organizations receiving Medicare data to analyze and redistribute the data to authorized subscribers (insurers, health systems, and physicians) so that subscribers can make more informed decisions
Permit those entities to charge a voluntary fee to their subscribers so that the organizations can conduct robust analyses to improve healthcare quality and reduce costs.
Click Here to read the full summary of how this new legislation will impact the QE program.
According to Robert Rahmer, who leads IARPA’s Cyber-attack Automated Unconventional Sensor Environment (CAUSE) program, one of the biggest factors in the security industry’s inability to stay ahead of cyber threats is a model built heavily on looking backwards and analyzing what has happened, instead of looking forward to predict the future. Just look around at the majority of vendors and software platforms available and you will see he’s spot on.
To that end, DNI’s CAUSE program will fund researchers who are developing truly innovative and ‘unconventional’ techniques to combat cyber threats and make these technologies available to federal agencies and the private sector. Look for an official agency announcement on the CAUSE program by the end of fiscal 2015.
At last month’s ICIT Fellow meeting, one of the topics discussed at great length was how increased cybersecurity awareness among consumers could serve as a catalyst for improved security in technology based products and services. Our theory was simple: if consumers were more informed, they would demand better security and ultimately ‘speak’ up the best way they know how – with their wallets. This would finally force Industry to step up their game and make the changes necessary to improve security to the levels which we are capable of today but are simply not doing due to economically driven decision making.
As cyber professionals, we know that technologies exist which can dramatically improve security and consumer privacy but are not being used because of financially motivated decisions on the part of industry. The credit card and retail industry has not mandated the use of “chips” in all cards due to the cost of infrastructure updates required, dual factor authentication has been available for years but is still sparsely used on sites, devices and in organizations and document encryption technologies that would dramatically decrease the impact of breaches are still considered ‘innovative’, not the norm.
Taking a page out of the PR playbook, I believe it is time for the cyber community to take the lead in a major national awareness campaign such as those we have seen in the past which have permanently shaped public opinions and influenced legislation and industry standards for the benefit of society. Like the brilliant ads around car safety, littering, and forest fires, we desperately need a national ‘cyber’ campaign which lets consumers know that their privacy can be significantly improved and they do not have to settle for a constant barrage of data loss, it just takes a combination of personal change and industry action.
Of course, any action of this magnitude must come from the highest levels of government or an organization with equally impressive reach. I know it will happen, the question is by whom, and when.
(Until then, I thought it would be fun to look at some of the ad’s I reference in this post. Who remembers these from Saturday morning cartoons?!)