Huge Data Breach Losses Aren't Forcing Companies to Bolster Security
In a recent survey, RAND found that only 11 percent of consumers stopped doing business with a company because of a breach. "I have often wondered why consumers are not up in arms—because their information is out there, it is so easily taken," Ablon said. "I think it is because consumers are not feeling the hurt. Identity theft is pretty small in terms of financial impact." The result is that half of companies are not increasing their spending on security, according to a 2015 report by the Ponemon Institute and funded by security services provider Dell Secureworks. Of the other half, about two-thirds plan to increase their spending in the next two years and the remainder will dramatically increase their budgets. "Despite the increase in well-publicized security breaches, IT security investments are not get- ting the board’s attention and support," the report stated."Small companies are based more on relationships, and … they tend to be more directly impacted than the large firms," Verizon's Novak said. Two trends, however, will raise the stakes for both breached companies and their victimized customers. First, information that is not easily changed or replaced, such as Social Security numbers, is increasingly targeted by hackers. In 2015, for example, nearly 165 million records containing Social Security numbers were compromised in 338 breaches. In contrast, less than 1 million records involving debit or credit cards were exposed in 2015. The previous year saw far more credit cards exposed: some 138 breaches resulted in information on nearly 65 million cards stolen by hackers, according to the Identity Theft Resource Center. The second trend is that companies are collecting more and different kinds of personal information about their users. For example, home video cameras frequently connect to a cloud service to store video. Attackers could easily gain information on consumers through a breach of such a service. Other devices that are part of the Internet of things—from heart monitors to GPS-enabled trackers—will only accelerate this trend. "Now, you are getting into the area, where all this stuff is getting really personal because of everything [that is] connected all around us," Verizon's Novak said. "The exposures will become much more serious, and I think you are going to see that consumers are going to care a lot more."
While large companies can absorb the impacts of a breach, small companies generally run the risk of being put out of business by a significant compromise. While a breach of personally identifiable information is not known to have led to the direct failure of a company, other types of compromises have resulted in businesses being shut down. Code repository Code Spaces, for example, closed its virtual doors after a hacker took control of its Amazon control panel, deleting all the servers, when the owner refused to a pay ransom.