Attacks/Breaches
2/25/2013
01:47 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Investors Value A Company's Cybersecurity Record

New HBGary report says majority of U.S. investors steer clear of investing in companies that have suffered multiple data breaches -- and they worry more about theft of customer data than intellectual property

SAN FRANCISCO -- RSA CONFERENCE 2013 -- Turns out most U.S. investors are wary of investing in companies that have a history of getting hacked, and they are twice as concerned about those whose customer data was stolen than those whose intellectual property was pilfered.

RSA Conference 2013
Click here for more articles.

New data released here today from a survey conducted by Zogby Analytics on behalf of HBGary found that close to 80 percent of American investors said they aren't likely to invest in a company that has suffered multiple cyberattacks, and 70 percent would research a publicly traded firm's cybersecurity practices and incidents.

"The fact that investors and customers care so much about this is why we are starting to see boardrooms take a lot more interest in the security of a company," says Ken Silva, senior vice president for cyberstrategy for the mission, cyber and intelligence solutions group at ManTech International Corp., of which HBGary is a subsidiary.

But investors weigh customer data breaches as worse than theft of IP: Fifty-seven percent said they consider a hack that compromises customer data as more worrisome, while some 29 percent rated intellectual property as the most worrisome.

"People can relate to [customer data theft] right now and can feel the shockwave. I think IP theft will start to show itself and its real impact a couple of years from now when stolen intellectual property starts to make its way through the system," Silva says. "That's as opposed to now, when we know it's happening, but we haven't actually seen the ramifications of it yet like we do with customer data. We're not seeing exact copies of the next tablet coming out before Samsung or Apple," for example, he says.

Cyberespionage concerns are gaining some political clout, with the Obama administration last week announcing its plans to crack down on IP theft. And more and more big companies of late are coming clean that they have been infiltrated, including major media outlets like The New York Times, The Wall Street Journal, and The Washington Post.

[Finally, convincing evidence of a long-suspected Chinese military link to cyberespionage against U.S. firms: A prolific and especially persistent cyberespionage group out of China has been tied to the People's Liberation Army and has been behind attacks on a minimum of hundreds of companies across 20 major industries mainly in natively English-speaking countries. See Chinese Military Tied To Major Cyberespionage Operation. ]

HBGary's report, which gathered data from 405 U.S. investors surveyed, also found that 66 percent of investors said they would likely research whether a company had been fined or disciplined for a security breach.

ManTech's Silva says the most shocking finding of the survey was that 78 percent said they weren't likely to invest in a company that had suffered multiple security breaches. "That's an incredibly high number, and that shows just how seriously investors are really taking [cybersecurity]," he says.

The report also found that investors care about how companies handle breach disclosure. "Given all of the publicity around breaches in the last two years, we're almost numb to hearing about it. But when a breach is poorly handled, boy, does it make the headlines," Silva says. "If you're hiding it, not disclosing, taking too long to disclose it, or if no one knew" for a long time about the breach, that shakes investors' confidence in the victim organization, he says.

Silva says investors traditionally have been all about the bottom line, but the survey shows that they are savvy about the potential impact of cybersecurity problems on companies they are looking to invest in: "If this says anything, it's that cybersecurity is a fiduciary responsibility," Silva says. "So boards of directors need to treat cybersecurity as their fiduciary responsibility."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.