A new study by Ponemon Institute, sponsored by Experian, has some interesting observations. It is unclear what level of executive responded to their survey, although they said they were all at least managers, 40% report to the C-suite, and 26% are direct reports to the head of marketing or similar.
The interesting ‘bits’ include:
- The hit to the corporate brand value was $180m to $334m (between 17% and 31% of total brand value).
- As a percentage of their organizations’ annual gross revenues, the economic value of reputation
and brand ranged from less than 10 percent to greater than 5X.
- In some cases it could take longer than a year to recover and restore reputation and brand image.
- When asked to rank the information if lost or stolen would result in a diminished reputation or image respondents say customer information would be most devastating. This is followed by confidential financial business information and confidential non-financial business information.
- The average diminished value of the brand as a direct result of losing:
- 100,000 customer records: 21%.
- 100,000 employee records: 12%.
- Trade secrets, new product designs, source code or strategic plans: 18%.
- 82 percent of respondents, their organizations had a data breach involving sensitive or confidential information. On average, they had 2.7 breaches in the past 2 years. Fifty-three percent say the data breaches had a moderate impact on reputation and brand image and 23 percent say it was significant. It is interesting to note that before having a data breach less than half had an incident response plan for customer data breaches in place. However, after the breach 76 percent say their organization put an incident plan in place.
- Data breaches involving confidential employee information are less frequent than data breaches involving confidential customer information. Less than half (46 percent) of organization in this study had a data breach involving the loss or theft of sensitive or confidential employee information. On average, organizations reporting such breaches had 1.5 in the past two years. Only 23 percent say such a breach had a moderate or significant impact on their organization’s reputation and brand image. While one-third say their organization had an incident response plan in place before the breach, 54 percent say they had such a plan in place following the breach.
- Most organizations have had a data breach involving the theft of sensitive or confidential business information. On average these have occurred 2.9 times in these organizations. It is interesting to note that of all types of breaches, the theft or loss of confidential financial information experienced by these organizations seemed to have the most significant impact. Forty-six percent say the impact was moderate and 29 percent say it was significant. Prior to having such a breach, 57 percent had an incident plan in place. However, after such an incident 80 percent say they put a plan in place.
Are these observations consistent with your experience? Do information security practitioners have their priorrities set correctly?