The True Cost of Cyberattacks on Companies

Target credit card hacking incident highlights growing enterprise exposure to cyberrisk
By James Grundvig
James Grundvig
James Grundvig
James Grundvig is a former contributor to Epoch Times and the author of “Master Manipulator: The Explosive True Story of Fraud, Embezzlement and Government Betrayal at the CDC.” He lives and works in New York City.
January 2, 2014 Updated: January 2, 2014

Target Corporation is just learning the true cost of its data breach, which exposed 40 million credit card customers.

Consequences of the breach include three class action lawsuits, a regulatory probe, loss of consumer confidence, and a 3 percent drop in sales compared to the same time last year. Perhaps the biggest one is yet to come: a blow to its reputation.

Measuring the Cost

How does a large brand like Target measure the bruises to its reputation?

The answer is sentiment analysis. Opinion mining was developed during World War II. After the war, German industrial giants like Volkswagen used it to improve workflow efficiency to drive the “German Economic Miracle.”

Over the past decade, sentiment analysis has been deployed across many sectors, including consumer feedback on movies, food, and beverages. The Internet has spurred the analytics with online surveys that have evolved with social media platforms.

In 2014, sentiment analysis will be repurposed for enterprises to mine shareholders’ reactions to data breaches, to gauge public confidence on a company’s ability to execute a crisis management plan, and to measure how a dented reputation has devalued stock price.

The Citigroup Example

One such event occurred at Citigroup two years ago.

“On May 10, 2011, Citigroup discovered that hackers stole $2.7 million from 3,400 Citi credit card customers. But the cost to the bank’s market valuation was much higher,” according to estimates provided by Corr Analytics.

“The attack contributed to a 17 percent slide in the company’s market capitalization between the day of the breach and a month later on June 8,” said Anders Corr, a Harvard doctoral graduate and founder of Corr Analytics.

“The data breach at Citi had some contagion effect in the overall financial sector. The loss during that period to the company’s (common) stock valuation was approximately US$21.6 billion. The loss was steepest starting June 3, when the company announced the breach to its customers.”

Metrics of Cyberattacks

The cost of cyberattacks exceeds the theft of stolen data. Costs such as legal, public relations, communication, and stock price decline can be quantified.

More problematic is the erosion of a company’s reputation. The collateral damage that a breached company has on others is also sizable, though hard to quantify. A week after the Target breach was announced, JPMorgan Chase announced that 2 million customers’ cards had been exposed. Chase is now part of the Target hacking debris field.

In a Business News Daily article, Chad Brooks noted, “Just 10 percent of organizations feel confident in their ability to effectively analyze security data.”

“Kroll [corporate investigations and risk consulting firm] predicts that the new cybersecurity issues for 2014 will include: National Institute of Standards and Technology (NIST) and similar security frameworks will become the de facto standards of best practices for all companies,” Brooks said.

The NIST framework will be finalized by February 2014, dovetailing with President Obama’s cybersecurity initiative. What will it recommend?

“Cybersecurity is of great concern to investors, banks, and hedge funds. Intrusions can cause loss of data that compromise trading strategies, the security of electronic funds, exposure of client data, and physical damage to real assets. Reputation costs are usually more significant than actual loss,” said Dr. Corr of Corr Analytics, a political risk analysis firm serving clients who invest globally.

Dr. Doug Bond, founder and president of Virtual Research Associates, explained via email: “Those who use today’s big data tools sometimes fail to acknowledge the theoretical foundations upon which they are building. Operational code analysis has been used to anticipate decisions of leaders based upon a leader’s perceptions of the flow of political events. This line of research into attitudes, beliefs and values, and how they shape our interactions and decision-making began more than 65 years ago just after the second world war.”

Retasking the Safety Act

“Countries with high levels of corruption, combined with robust hacker communities, impose a higher degree of risk to investors from cybercrime. From a purely cyberrisk perspective, some of the worst countries in which to invest are Russia, China, Brazil, Turkey, Romania, India, Hungary, Ukraine, Argentina, and Poland,” Corr said.

How can enterprises reduce their risk and liability to cyberbreaches?

Part of the answer lies in the 12-year-old Safety Act. Under the Department of Homeland Security, the Safety Act’s mission is to “support anti-terrorism by fostering Effective Technologies Act of 2002.”

The Safety Act, which may be amended to have stronger cyberlanguage, offers a clear path for enterprises to better prepare against cyberattacks, calm stakeholders’ opinions from turning negative, and respond to stay ahead of the story.

The problem for the 90 percent of the corporations that don’t have a handle on how to reduce their liability and respond to public sentiment starts with data management. Most enterprises don’t have a full view of their IT ecosystems.

More troublesome have been the sprawl of email, dataflow, and mushrooming of user endpoints. When a company is forced to upgrade database systems or migrate data to a cloud environment, it’s often done with insufficient planning.

Exposure to Cyberattacks

Such an event happened at Knight Capital Group. As the market opened on Aug. 1, 2012, Knight had switched IT systems, but did so without the proper controls in place. Over the next 45-minutes, millions of erroneous trades bled $460 million in losses.

This year, the Securities and Exchange Commission (SEC), which levied a $12 million settlement, wrote in its Administrative Proceedings on Oct. 16, “Knight did not have technology governance controls and supervisory procedures sufficient to ensure the orderly deployment of new code or to prevent the activation of code no longer intended for use in Knight’s current operations but left on its servers that were accessing the market.”

Joe Buonomo, CEO of Direct Computer Resources (DCR), was one of the early adopters of the Safety Act for information privacy products. In an interview with Buonomo, I asked what data obfuscation technology can do for the enterprise.

“Think of encryption as good data in motion. Once the data arrives at the location, it gets unencrypted. That endpoint of data is a vulnerability,” said Buonomo, a personable, 40-year veteran of the IT space.

“Data masking or cloaking removes information that points to master files, names, addresses, and transaction files. They all have pointers, unlike tape systems of the past,” he said. “There are ways for hackers to follow pointers, CPU cycles. Some of the challenges to obfuscation are the size and time it takes to mask the data. Take a large bank in England. Their problem? Billions of records needed to obfuscate across 26 business units. We said let us do three business units first. This was just before the 2008 financial crisis.”

He paused with a grin, and said, “We took the billions of bank records, what would take 500 days of CPU time with India software, and we showed them how to do it in eight hours. We masked their transaction. If hacked, the information doesn’t match. So masking data isn’t only about encryption, but obfuscation when decrypting sent data. Combined, they are nearly tamperproof.”

With a final thought from Corr on the importance of the Safety Act and the NSA data mining sweeps, he said, “The NSA revelations clarified that background checks are insufficient, and that a greater degree of information compartmentalization needs to take place. This applies not only in the government sector, but in the private sector as well. Business-confidential information is highly vulnerable to theft by employees. Improved information security measures must be implemented to firewall highly-sensitive business information from anyone internally without a need-to-know.”

Sean Singleton, managing director of Oglethorpe Capital, which organizes financing and facilitates technology transfers for new cyberventures, stated, “We focus on companies who understand that cybersecurity is an enterprise risk issue that, in addition to financial consequences, can present legal and reputation uncertainty.”

One company combines these tools and others to quantify enterprise exposure to cyberrisk. New World Technology Partners, in which Singleton is an adviser, employs system analysis methods to measure and aggregate the financial, reputation, political, legal, and regulatory consequences of high-impact cyberevents into a Cyber Risk Balance Sheet.

The less data is masked, obfuscated, or compartmentalized, the more it invites hackers and increases liability. The Safety Act and NIST cybersecurity plan will show the way. But businesses need to see the threat and opportunity to keep ahead of cybercriminals.

James O. Grundvig is a columnist and freelance journalist based in New York. He is a frequent contributor to the Epoch Times.


James Grundvig
James Grundvig
James Grundvig is a former contributor to Epoch Times and the author of “Master Manipulator: The Explosive True Story of Fraud, Embezzlement and Government Betrayal at the CDC.” He lives and works in New York City.