Perspectives: Opinions from our network of advisors, investors, operators and analysts on the risks and opportunities they see.
Marriott International – which revealed last year, just after it acquired the Starwood hotel chain, that some 500 million guests accounts created in its SPG membership database had been compromised – is, unfortunately, in good company. Hacks have rattled Sony, Yahoo, Equifax, Target and other major corporations, as well as the Democratic Party, the CIA and the NSA.
That brick-and-mortar companies get hacked may not be surprising. But do digital natives – companies like Google, Microsoft, Yahoo or Apple – have any leg up on the legacy firms?
Bob Sullivan, a noted author and broadcaster on cybersecurity and consumer fraud, is the host of the popular Breach podcast which focused its highly successful first season on the details of the 2013 Yahoo data breach and is now exploring the Equifax hack of 2017.
Sullivan spoke to Karma Contributing Editor Michael Moran.
Michael Moran: Are digital native companies any better at fighting off data breaches and hacks than legacy companies that get hacked on a regular basis?
Bob Sullivan: You would like to hope that would be the case So I guess that there might be some examples of that.
Just a couple of things: If you’re a digital native company, maybe that means you’ve built your apps and your software from the ground up with digital consumers in mind. But every app that’s been created, just because of the economic forces, they think about features first and security last. That’s just what happens.
The one advantage I would say a digital native organization would have is that they don’t have these legacy computers lying around.
I’m right now in the midst of doing a deep dive into the Equifax Inc. hack, and a congressional report that I was just reading pointed out that they were on this heavy acquisition trail for the past 10 years or so, which meant some of their products were dated as far back as a Sun Solaris web server. The code was custom-written. Only a couple of people could update it and certainly apply any security patches if there was middleware involved or whatnot. So that gets complicated when you have older machines lying around.
But in general, the same principles always apply here. Most folks have rushed to add features. They rush to get glitz and to get consumers right away, and then the security people show up later and say, “What have you done?” That’s a pretty typical pattern.
Michael Moran: Is there a benchmark that suggests that we should be discounting the value of a company or a product or a stock based on how well they handle their data and their security?
Sullivan: For quite a long while, when there was a big data breach, nothing happened to company stocks. Investors didn’t react at all.
That all changed with Target Corporation. Target was the first incident where an executive, in this case, lost his job. And since then we have seen some pretty big swings.
Equifax’s stock dropped by about a quarter in the weeks after the attack. On the other hand, a year later it was back to where it was. So what was the real financial cost? The real financial cost, most of it, was actually born by cyber insurance.
So that’s a discussion that I have with a lot of my computer engineering friends who will tell you in boardrooms across America there is this calculation between what would it cost to really secure our systems, and what would it cost to just buy insurance against them? And that calculation often goes the way you would expect it to. The cheaper option wins. So sometimes insurance wins out over security.
One of the biggest data breaches a couple of years ago that I’ll bet you never heard of involved Zappos. Zappos lost all its customers’ passwords.
And the reason you haven’t really heard about it is because, first of all, Zappos responded very, very promptly with very, very upfront information. And second of all, because Zappos had a huge wellspring of positive energy from its consumers, it had built up trust over the years. People like Zappos. And so when something bad happened they had that emotional bank account, if you will, to draw from. That positive PR.
Equifax had none of that. And so Equifax just isn’t going to get any of that.
I do think that computer security isn’t isolated. And it’s the kind of thing where if customers trust you and you have trust built up, they’ll give you a mulligan on an incident like this as long as you’re up front about it. And that is possible.
Not every incident has to be so existentially threatening, but you have to have built up the goodwill ahead of time. I think that’s really important.