Corporate information security, part 1 — Why can’t I invest in information security like I can in green companies?
I’m about to invest in a new fund. I compare the profit, risks and costs. I can choose to only invest in low carbon risk funds and opt out of industries that use animal testing or palm oil, or I can refuse to invest in tobacco. Why should I not be able to invest just as easily in companies that have taken care of their information security? And what about shares? There is a large scope of KPIs to choose from, and every company quote ‘customer-orientation’ and ‘integrity’ among their values, however only a few businesses have something to say about information security.
Don't get me wrong, mitigating climate change, improving global public health and promoting ethical working conditions are really important things and if I’d be forced to choose, climate change would take precedence over information security. However, I feel that this would be like making you choose between an oven and a fridge, they are both appliances but do completely different things.
Since you are free to choose what to invest in the market, why shouldn’t you also feel free to make your decisions based on information security?
Information security affects value
How ever a company has taken care of its information security, it will have a major impact on its valuation.
Comparitech studied the impact of data breaches on the share prices of 28 companies listed on the New York Stock Exchange. The study was carried out from 2017 to 2019 and according to Comparitech, share prices dropped immediately after a data breach. Despite this, they found that companies were able to rapidly recover and, in some cases, even rise in the short term. However, over time the share price development of data breach victims could not keep pace with the NASDAQ index. The value of the development shares was naturally affected by a variety of factors but the most significant damage to the recovery of the business was the cost of investigating the extent of a data breach, reinstalling systems, restoring data, and ultimately paying the total price for the damage.
A “Data Breach Discount” also became known in company acquisitions due to the vulnerability that company had previously experienced. For example, Verizon reduced Yahoo's purchase price to 350 USD million after two data breaches came to light. The information security issues of the Starwood hotel chain surfaced after it had been acquired by Marriott, which was saddled with a hefty fine and years of work in clearing the damages.
Information security and data protection are values
Consumers are interested in information security
Information security and data protection are important considerations for consumers buying new services and products. For example, Traficom's consumer survey regarding the purchasing of smart devices and cloud services, revealed that most consumers are interested in the information security of their devices including cloud storage and communications services. According to a survey conducted in November 2018, three in four Finns would also be prepared to pay more if they could be sure of a services or product’s information security. In Cisco’s 2019 consumer survey on data protection, 48% of people had changed service providers or companies because they were not happy with their data processing and disclosure practices.
To put it simply, the reputation damage caused by negative coverage of poorly handled data breaches can haunt companies for a long time and this ultimately drives customers away. On the other hand, if a company does not admit to even a single case of attempted data breach or say anything about its information security, it can raise suspicion. Perhaps their monitoring capabilities are not up to par, or they just do not place information security highly enough in their business agendas.
Information security can tip the scales in the choice of service provider
Information security and data protection are crucial for companies when choosing service providers and partners. In some industries, they are vital as disruption caused by a denial of a service attack or blackout can put lives at risk. Our digital society will be paralyzed if elevators stop, power is cut and people can’t make payments. If the goods stay on the shelves, cash doesn’t flow, and collaboration is an endless troubleshooting exercise, your company is not probably the first choice after the contract period ends.
So how can you tell if a company has its information security in order? As of yet, it’s pretty tricky. But companies are fortunately becoming more open about matters of information security. One day, I will perhaps be able to complement the Morningstar rankings with a securitystar information security rating when choosing my investments.
This blog post is the first in a series on information security and awareness. The next instalment will discuss the information security threats companies can face and what lessons they need to take from them.