Get hacked, and watch your company’s share price plummet

Graham Cluley

May 30, 2017

Get hacked, and watch your company’s share price plummet

Data breaches have an impact.  We all know that.

Most obviously the aftermath is felt by the victims - your customers' personal and sensitive information may have been exposed, malicious hackers may have exploited stolen credentials to break into other systems, hacked data could have been abused to commit identify theft or to defraud.

A side effect of this is that your customers' loyalty in your organisation may be shaken.  They may simply decide that enough is enough, and that they aren't prepared to do business with you anymore.  Companies spend years building a reputation, only to have them destroyed in minutes by a hacker.

A new study by the Ponemon Institute has explored the impact of data breaches on a company's reputation and share value, and come up with some interesting conclusions.

For the purposes of the report, researchers analysed 113 publicly traded companies that experienced a data breach that saw customer or consumer data being stolen by hackers. 

Tracking the stock prices for 30 days prior to the announcement of the breach and 90 days after, the analysis discovered that the average stock price dropped 5% immediately upon disclosure.  Share price recovery, however, depended on some factors:

"Companies that self-reported their security posture as superior and quickly responded to the breach event recovered their stock value after an average of 7 days."

"In contrast, companies that had a poor security posture at the time of the data breach and did not respond quickly to the incident experienced a stock price decline that on average lasted more than 90 days."

The report, which surveyed over 500 consumers alongside almost 800 IT practitioners and senior-level marketing professionals, reported that 31% of consumers said they discontinued their relationship with companies that had suffered a data breach.  65% of those consumers who had been affected by one or more breaches said that they had lost trust in breached organisations.

None of which, of course, is good for business.

What is perhaps most alarming in the report is the apparent disconnect between what consumers expect of the companies storing their data, and the companies themselves.

80% of consumers, according to the survey, believe that companies have a responsibility to take reasonable precautions to ensure their personal information is secured - and yet only 48% of marketing chiefs and 48% of IT practitioners agreed.

Only 47% of those marketing staff surveyed, and 46% of the IT security professionals, felt that organisations have an obligation to control access to consumers' information - a stark difference from the 71% of consumers who feel that their data should be treated with greater care.

And alarms should be sounded about the public's perception of security and privacy in the healthcare industry.

80% of consumers say that they trust healthcare providers to keep their personal data safe, compared to 26% who trust credit card companies.  But, Ponemon reports, healthcare organisations account for over a third of all data breaches compared to a mere 4.8% affecting financial organisations.  The banks, the credit card companies, the finance companies have invested significantly more in computer security than their peers in the often poorly-maintained healthcare industry.

Whatever your company's line of business you must always remember that your customers are placing their trust in you to do everything possible to respect the security and privacy of their private information.  Shirking the responsibility puts you on the road to a data breach which could result in you losing clients, have a hit on the share price, and potentially cost you millions of dollars.



Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

View all posts

You might also like