mailing list archives
The True Cost of Cyberattacks on Companies
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 2 Jan 2014 21:43:23 -0700
Target Corporation is just learning the true cost of its data breach, which
exposed 40 million credit card customers.
Consequences of the breach include three class action lawsuits, a
regulatory probe, loss of consumer confidence, and a 3 percent drop in
sales compared to the same time last year. Perhaps the biggest one is yet
to come: a blow to its reputation.
Measuring the Cost
How does a large brand like Target measure the bruises to its reputation?
The answer is sentiment analysis. Opinion mining was developed during World
War II. After the war, German industrial giants like Volkswagen used it to
improve workflow efficiency to drive the “German Economic Miracle.”
Over the past decade, sentiment analysis has been deployed across many
sectors, including consumer feedback on movies, food, and beverages. The
Internet has spurred the analytics with online surveys that have evolved
with social media platforms.
In 2014, sentiment analysis will be repurposed for enterprises to mine
shareholders’ reactions to data breaches, to gauge public confidence on a
company’s ability to execute a crisis management plan, and to measure how a
dented reputation has devalued stock price.
The Citigroup Example
One such event occurred at Citigroup two years ago.
“On May 10, 2011, Citigroup discovered that hackers stole $2.7 million from
3,400 Citi credit card customers. But the cost to the bank’s market
valuation was much higher,” according to estimates provided by Corr
“The attack contributed to a 17 percent slide in the company’s market
capitalization between the day of the breach and a month later on June 8,”
said Anders Corr, a Harvard doctoral graduate and founder of Corr Analytics.
“The data breach at Citi had some contagion effect in the overall financial
sector. The loss during that period to the company’s (common) stock
valuation was approximately US$21.6 billion. The loss was steepest starting
June 3, when the company announced the breach to its customers.”
Metrics of Cyberattacks
The cost of cyberattacks exceeds the theft of stolen data. Costs such as
legal, public relations, communication, and stock price decline can be
More problematic is the erosion of a company’s reputation. The collateral
damage that a breached company has on others is also sizable, though hard
to quantify. A week after the Target breach was announced, JPMorgan Chase
announced that 2 million customers’ cards had been exposed. Chase is now
part of the Target hacking debris field.
In a Business News Daily article, Chad Brooks noted, “Just 10 percent of
organizations feel confident in their ability to effectively analyze
“Kroll [corporate investigations and risk consulting firm] predicts that
the new cybersecurity issues for 2014 will include: National Institute of
Standards and Technology (NIST) and similar security frameworks will become
the de facto standards of best practices for all companies,” Brooks said.
The NIST framework will be finalized by February 2014, dovetailing with
President Obama’s cybersecurity initiative. What will it recommend?
“Cybersecurity is of great concern to investors, banks, and hedge funds.
Intrusions can cause loss of data that compromise trading strategies, the
security of electronic funds, exposure of client data, and physical damage
to real assets. Reputation costs are usually more significant than actual
loss,” said Dr. Corr of Corr Analytics, a political risk analysis firm
serving clients who invest globally.
Dr. Doug Bond, founder and president of Virtual Research Associates,
explained via email: “Those who use today’s big data tools sometimes fail
to acknowledge the theoretical foundations upon which they are building.
Operational code analysis has been used to anticipate decisions of leaders
based upon a leader’s perceptions of the flow of political events. This
line of research into attitudes, beliefs and values, and how they shape our
interactions and decision-making began more than 65 years ago just after
the second world war.”
Retasking the Safety Act
“Countries with high levels of corruption, combined with robust hacker
communities, impose a higher degree of risk to investors from cybercrime.
From a purely cyberrisk perspective, some of the worst countries in which
to invest are Russia, China, Brazil, Turkey, Romania, India, Hungary,
Ukraine, Argentina, and Poland,” Corr said.
How can enterprises reduce their risk and liability to cyberbreaches?
Part of the answer lies in the 12-year-old Safety Act. Under the Department
of Homeland Security, the Safety Act’s mission is to “support
anti-terrorism by fostering Effective Technologies Act of 2002.”
The Safety Act, which may be amended to have stronger cyberlanguage, offers
a clear path for enterprises to better prepare against cyberattacks, calm
stakeholders’ opinions from turning negative, and respond to stay ahead of
The problem for the 90 percent of the corporations that don’t have a handle
on how to reduce their liability and respond to public sentiment starts
with data management. Most enterprises don’t have a full view of their IT
More troublesome have been the sprawl of email, dataflow, and mushrooming
of user endpoints. When a company is forced to upgrade database systems or
migrate data to a cloud environment, it’s often done with insufficient
Exposure to Cyberattacks
Such an event happened at Knight Capital Group. As the market opened on
Aug. 1, 2012, Knight had switched IT systems, but did so without the proper
controls in place. Over the next 45-minutes, millions of erroneous trades
bled $460 million in losses.
This year, the Securities and Exchange Commission (SEC), which levied a $12
million settlement, wrote in its Administrative Proceedings on Oct. 16,
“Knight did not have technology governance controls and supervisory
procedures sufficient to ensure the orderly deployment of new code or to
prevent the activation of code no longer intended for use in Knight’s
current operations but left on its servers that were accessing the market.”
Joe Buonomo, CEO of Direct Computer Resources (DCR), was one of the early
adopters of the Safety Act for information privacy products. In an
interview with Buonomo, I asked what data obfuscation technology can do for
“Think of encryption as good data in motion. Once the data arrives at the
location, it gets unencrypted. That endpoint of data is a vulnerability,”
said Buonomo, a personable, 40-year veteran of the IT space.
“Data masking or cloaking removes information that points to master files,
names, addresses, and transaction files. They all have pointers, unlike
tape systems of the past,” he said. “There are ways for hackers to follow
pointers, CPU cycles. Some of the challenges to obfuscation are the size
and time it takes to mask the data. Take a large bank in England. Their
problem? Billions of records needed to obfuscate across 26 business units.
We said let us do three business units first. This was just before the 2008
He paused with a grin, and said, “We took the billions of bank records,
what would take 500 days of CPU time with India software, and we showed
them how to do it in eight hours. We masked their transaction. If hacked,
the information doesn’t match. So masking data isn’t only about encryption,
but obfuscation when decrypting sent data. Combined, they are nearly
With a final thought from Corr on the importance of the Safety Act and the
NSA data mining sweeps, he said, “The NSA revelations clarified that
background checks are insufficient, and that a greater degree of
information compartmentalization needs to take place. This applies not only
in the government sector, but in the private sector as well.
Business-confidential information is highly vulnerable to theft by
employees. Improved information security measures must be implemented to
firewall highly-sensitive business information from anyone internally
without a need-to-know.”
Sean Singleton, managing director of Oglethorpe Capital, which organizes
financing and facilitates technology transfers for new cyberventures,
stated, “We focus on companies who understand that cybersecurity is an
enterprise risk issue that, in addition to financial consequences, can
present legal and reputation uncertainty.”
One company combines these tools and others to quantify enterprise exposure
to cyberrisk. New World Technology Partners, in which Singleton is an
adviser, employs system analysis methods to measure and aggregate the
financial, reputation, political, legal, and regulatory consequences of
high-impact cyberevents into a Cyber Risk Balance Sheet.
The less data is masked, obfuscated, or compartmentalized, the more it
invites hackers and increases liability. The Safety Act and NIST
cybersecurity plan will show the way. But businesses need to see the threat
and opportunity to keep ahead of cybercriminals.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
- The True Cost of Cyberattacks on Companies Audrey McNeil (Jan 03)