Hidden costs of Sony’s data breach will add up for years, experts say

man-65049_640If there’s one positive to come out of last year’s catastrophic security breach at Sony Pictures Entertainment, Inc., it’s that the incident highlighted just how expensive a serious data breach can be. That’s an important consideration for enterprises because security infrastructure doesn’t come cheap, and justifying the return on problems that don’t occur can be tricky.

When it comes to cost savings, cutting the security budget is a tempting choice. But security expenditure may mean uncertain costs that come with possible data breaches can be avoided. Which means organizations need an idea of just how much a breach could impact their bottom line if they’re to come up with a suitable budget for their security spend – after all, if a breach only costs $10 million, there’s no point spending the same amount to ensure it doesn’t happen.

Putting a price on data

 

One of the difficulties of estimating the cost of a data breach is that companies rarely like to discuss them when they do happen. And even in high-profile cases like Sony, where the huge level of publicity forced the incident into the open, media reports conflicted. Last month the firm said in an earnings report the breach had cost its business $15 million in cleanup costs so far, essentially wiping out profits from its Sony Pictures division. But just days later, senior general manager Kazuhiko Takeda said the figure would be $35 million for the full fiscal year.

So which number is correct? Even Sony may not really know, but the indirect costs could make the ultimate total much higher than those figures. When estimating damages, the Ponemon Institute includes throws in the costs of outsourcing hotline support, forensic investigations, notifying customers, in-house investigations and communication with affected customers. Its 2014 Cost of Data Breach Study found that the average data breach costs U.S. companies an average of $195 per record lost, amounting to an average of $5.85 million per breach. Gartner estimates global losses from cyber crime total nearly $400 billion annually.

But the Sony incident shows us there’s a lot more at stake than just customer data. The terabytes of data stolen from Sony were said to include hundreds of files containing employee’s login details, for example. If so, then it’s likely the company told every one of its staff to change their login credentials and that every server had to be re-keyed – an enormous task that adds up to a significant cost in its own right. Indeed, analysts at Macquarie Research estimate the cost of rebuilding Sony’s computer systems could total some $83 million.

The hidden costs of a data breach

 

But that really is just the start. Security experts point to numerous, less obvious considerations that could see Sony bleeding cash well into the future.

The challenge Sony now faces is that it will feel the repercussions of this incident for years to come, said Russ Spitler, VP of product strategy at security management firm AlienVault, Inc. Among the trove of data stolen from its servers were details of the company’s strategy in almost every contractual negotiation it held over the last few years, and that could have enormous implications as it tries to conduct its business in future. Then there are the embarrassing revelations in emails about what Sony executives think of Angela Jolie, Adam Sandler and other movie stars and writers. This could prompt some to refuse to work for Sony, or else demand higher fees next time around.

“Every single agent in Hollywood has a complete track record of Sony’s behavior during negotiations, so next time Sony wants to sign an A-list actor to a film, I am sure the costs will start adding up,” said Spitler. “People often look to the most easily measurable consequence of a breach such as this, but the long-term implications will be hard to calculate for a long time to come.”

How significant those costs will be isn’t easy to measure because of the intangible value of things like reputation, but damage to the brand can lead to lost customers, difficulty acquiring new customers, investor flight and numerous other financially damaging scenarios.

“The real cost to Sony’s reputation in the industry is probably in the hundreds of millions, perhaps even $1 billion plus,” said Kowsik Guruswamy, CTO of Menlo Security, a stealth startup. “Any company that holds something of value on behalf of their customers – be it their product designs, business plans, credit card numbers or cash – must establish and maintain trust. When they lose control of customers’ data, they lose customers.”

Nevertheless, Sony’s chief executive Kazuo Hirai put a brave face on the incident when speaking at CES in Las Vegas last month, insisting the incident wouldn’t impact the company’s financial results this year. “We are still reviewing the effects of the cyber-attack,” he said. “However, I do not see it as something that will cause a material upheaval on Sony Pictures’ business operations, basically, in terms of results for the current fiscal year.”

That may be so, but only because Sony is more likely to feel the impact later rather than sooner, argues Alex Fidgen, commercial director at information security consultancy MWR InfoSecurity Ltd.

“As CEO, Kazuo Hirai is in the best position to judge whether the financial results for this year will be unaffected by the recent security breach,” Fidgen told SCMagazineUK.com. “However, it is more likely that the non-tangible effects of the breach could impact the next year’s financial result via the loss of consumer confidence, and increased defensive spending overhead.”

One thing is clear: It’s incredibly difficult to put a figure on the cost of a serious data breach, because every company is unique and every incident impacts companies in different ways. The direct costs of a data breach, such as paying for a forensics firm to investigate, remediation costs and investments in new/updated technology and software, are fairly well understood. But as the Sony incident has shown, there’s just no way of knowing what the less-obvious costs will add up to, or when the costs will stop adding up.

Image credit: geralt via Pixabay.com