By Shawn M. Thompson, Esq.
In a previous blog, the size and scope of the threat posed by trusted insiders was examined and insiders were determined to be involved in the great majority of security events– greater than 90%. Building on this conclusion, we now turn to the types of impacts that insider threats can have on organizations (costs of specific insider threat events will be examined in a subsequent post). Impacts refer to adverse effects an organization experiences as a result of a security event. These impacts, or adverse effects, generally fall into five categories: value, operations, reputation, culture, and liability.
Value refers to the monetary qualities of the business. There are three categories of value: market value, intrinsic value, and revenue.
Insider threat events can have a direct impact on the market value of a business. For example, when the arrest of former Booz Allen contractor Harold Martin was announced, Booz Allen’s share price immediately fell by 5%. Another example involved an auditor for a large company who embezzled $5 million. Upon public disclosure of his arrest, the stock plunged 10%.
Insider threat events can also have a direct impact on the intrinsic value of a business since intellectual property comprises 50 to 80% of the businesses value. Theft of new product designs and strategies can have catastrophic consequences.
Insider events can also directly impact revenue. The intellectual property theft at American Superconductor immediately resulted in the loss of $800 million in revenue. According to Cisco, nearly one-third of businesses that suffered a breach lost more than 20% of their revenue. That’s real money!
Operations refers to the ability of a business to execute its mission. There are three general categories of operational impact: operational disruption, increased overhead, and remediation costs.
Operational disruption is difficult to quantify but includes unplanned expenses, increased staffing, inability to deliver goods and services, and excessive or new R&D costs. A detailed study by Deloitte, estimated that for a large company that suffered intellectual property theft, the five-year operational disruption cost would be a whopping $1.2 billion!
Increased overhead due to necessary cyber security improvements, staff retraining, etc. also impact business operations and can exceed $13 million for a large corporation.
According to the Ponemon Institute, the average remediation costs was $4.3 million in 2016, but decreased to $3.6 million in 2017. However, according to Deloitte, the remediation costs can be much higher and exceed over $10 million. This is of course, largely fact specific depending on the size of the organization, the degree to which the organization was harmed, and the required mitigation actions needed.
Reputation impact can be assessed by examining three areas: public relations expenditures, customer relationships, and the devaluation of trade names. Reputation, although difficult to quantify, is often the second most affected aspect of the business following a compromise – second only to value. According to Cisco, half of organizations that were breached expended significant resources to actively manage the reputation and 42% of them lost nearly 20% of their existing customer base. Moreover, a detailed study by Deloitte uncovered that new customer acquisition decreased by as much as 50%. The study also revealed that large companies spent an average of $1,000,000 during a 12 month period to restore their reputation. The same study revealed a large company could experience an impact of $250 million over a five-year period by the devaluation of its trade name alone.
Culture is often ignored when impacts are discussed, however, culture is the lifeblood of any organization. Culture holds the shared values, norms, beliefs and assumptions that ultimately drive employees’ actions. According to the Society for Human Resource Management, typical businesses experience 24% turnover each year and most employees only stay 4.5 years in a position – millennials stay even less at two years on average. This results in financial and logistical problems, but also data protection problems. According to research, most employees intentionally take confidential data with them when they leave and most will seek to use this to the detriment of the organization. Add a significant corporate impact such as a data breach to this equation and the impact on culture is dramatically magnified. This can result in additional turnover, increased distrust, and an eroding of morale all which can exacerbate the effects of a breach. In short, culture shapes everyday behavior and a bad culture will lead to bad behavior.
Liability refers to the external costs that are levied on an organization. Liability costs include compliance fines, breach notification costs, increased insurance costs, and litigation costs including attorney fees. These costs can be large ranging from $20 per record per customer breach, to $3 million in litigation costs, 200% increase in insurance costs, and fines that can exceed $1 million. Moreover, litigation settlements can exceed tens of millions of dollars for large breaches.
Insider threats can have a profound impact on an organization. Beyond the lost value of the asset that was removed, disclosed, or destroyed, organizations can suffer immediate losses of intrinsic value as well as lost revenue. The ability to deliver goods and services may also be adversely impacted as well as damage to reputations – both corporate and individual (see Target firings). Lastly, an insider event may impact the culture of an organization which can lead to increased turnover and distrust, further exacerbating the effects of the breach and increase security vulnerabilities.