Is it really cheaper to get hacked?
A few days ago Iain Thomson published Sad reality: It's cheaper to get hacked than build strong IT defenses on The Register, that explains why it's cheaper to get hacked and accept the consequences rather than invest in information security based on a study by the RAND Corporation published in the Journal of Cybersecurity. That article triggers a reflection on security professionals on whether security is still relevant as its return of investment seems to be negative. And it turns out that yes, it is still very relevant because data breaches that leak customer data is only one part of the security big picture.
While it's true that so far hacks barely affect the company's stock value, as well explained by Elena Kvochko and Rajiv Pant in their article on Harvard Business Review and noticed in the image below since Yahoo's publication on their data breach that leaked more than 500 million accounts, which is the biggest known data breach in history so far, data breaches impact vary per data and have other consequences beyond stock price flutuation.
Figure 1: Yahoo Stock from Yahoo Finance between August 30th and September 28th. The publication regarding the hack was on September 22th, which caused a slight down in stock value, but returned to what it was in one week.
One example is the dating website Ashley Madison, whose slogan is “Life is short. Have an affair.”, epic data breach. The data breached included not only customer data, but source code repositories, emails and financial records, as the message left by the hacker(s) on the article claims. And the golden nugget of this entire breach was the scam that was uncovered after analyzing the data.
Ashley Madison used chatbots to lure cheaters, then threatened to expose them when they complained and barely had registered women. According to Business Insider, "(...) only 1,492 of the women in the database had ever opened their inboxes to check their messages on the site. That's compared with more than 20 million men (...)".
The point of this example is that it's fundamentally different from having your data stolen and realizing that you were scammed. Because people doesn't seem to leave their services after a breach (Twitter and LinkedIn were breached and users are still there using their services), but after being betrayed it's another story.
In this case for the dating site I could state that 'source code' and everything related to the web site 'inner workings' should be classified as more sensitive than customer data, as the breach impact is bigger. So when we talk about a data breach, it really depends on the type of data that was leaked.
However despite this betrayal from a customer perspective, Ashley Madison bet on a comeback and says that more users signed up even after scandal, but unless a third party confirms, it's hard to assure that it's not a marketing announcement to protect the brand. They're pivoting their business model as well according to Marketing Week's post.
Without entering in ramifications of the hack, which includes the resignation of the CEO, bad news and more, there is no denial that cyberattacks have a cost. You just need to adapt your defenses to be lower than this cost that may vary depending on the data type. This concept is the so called 'Risk Acceptance' that security professionals are taught and when aligned with senior management it's used to define the organization's risk appetite.
And to conclude, regarding RAND Corporation publication, this is Bruce Schenier's take:
(...) The way to look at this is not to conclude that cybersecurity isn't really a problem, but instead that there is a significant market failure that governments need to address.