Data breaches and cyberattacks aren't just a worry for consumers who've had personal information filched or paranoid information security pros. They can also scare away investors, according to a study on investor attitudes toward cybersecurity released Monday.
Companies with a history of being targeted in cyberattacks one or more times were viewed with skepticism by the 405 investors who took part in the study by HBGary, which offers tools and services to protect information from cyber spies and terrorists.
Some 78.1% of them said they were somewhat or very unlikely to invest in such a company. In addition, more than two-thirds (68.7%) said they would be somewhat or very unlikely to invest in a company with a history of one or more data breaches.
The study, performed by Zogby Analytics, showed that investors are less concerned about cyberattacks themselves than about how a company responds to them. About two-thirds (66%) of the investors said they were more interested in how a company handles an attack, compared to 25% who said they were more concerned with the attacks themselves.
"There have been a few high-profile cases over the last couple of years where responses weren't as crisp as most people would have liked to have seen," Ken Silva, senior vice president of cyber strategy for Fairfax, Va.-ManTech International, HBGary's parent company, said in an interview.
"It had a very negative impact on the market capitalization of those companies," he said. "Things like that have had a serious impact for investors and is one of the things driving their concerns."
Investor attitudes toward cyber security is maturing, according to HBGary CSO Jim Butterworth. "Investors want to see more openness and transparency in a company's process, response, even their investment in cyber security."
The study also found that more investors are concerned with the theft of customer information than intellectual property. More than half the investors (57.2%) said they were more concerned about a breach of personal data. That compares to 28.8% who said they were more concerned about IP losses.
"That surprised us," Silva confessed. "You'd think that loss of intellectual property would be a top-of-mind issue for investors."
"That's probably because the tail on liability for the loss of consumer data is probably a lot longer and much more unknown than the loss of intellectual property," he added.
The impact is more immediate, too. "You could have millions of consumers who are outraged by the loss of the data," he explained, "while with intellectual property, it could take a little longer before you see the ramifications of that."
A company's brand also takes a big hit in a consumer data breach, said John Vecchi, vice president of marketing for Solera Networks in Salt Lake City, Utah.
That hit will be exacerbated if a company acts befuddled by the breach. "An organization's inability to answer critical post-breach questions can have the most detrimental effect on their brand," he said in an interview.
However, many companies still appear to be ill-equipped to battle cyberattacks. A study released by Solera today found that a third of malicious breaches are discovered by third parties, not by a company's security defenses.
The study, performed by the Ponemon Institute, also revealed that the average cost of a malicious data breach totaled $840,000 -- almost twice the $470,000 cost of a non-malicious breach.
"Our study confirms that organizations are facing a growing flood of increasingly malicious data breaches, and they don't have the tools, staff or resources to discover and resolve them," Larry Ponemon, chairman and founder of the institute that bears his name, said in a statement.
Read more about data privacy in CSOonline's Data Privacy section.