What is the True Cost of a Cybercrime Attack?
Posted March 29, 2016
The post-breach world
Analyzing cybercrime losses in terms of damage to short-term revenue is both short-sighted and massively underestimating the holistic and far-reaching effects of a single security breach.
Long term impact must be looked at in terms of damage to customer trust, lifetime value and the true cost of individual pieces of stolen customer data.
In the wake of recent data breaches, CEOs are often quick to launch reassuring media campaigns to highlight tightened fraud defenses and compensation to customers, but how far does the murky water of a fraud attack seep?
Years of marketing can be undone in one single attack, hitting acquisition, retention and referral rates hard. There’s nothing like a big fraud story to hit the headlines, and even with a text-book response, your organisation can still become the topic-de-jour for dinner conversations worldwide. Not a very healthy platform to be acquiring new customers. TalkTalk have become synonymous with their recent data breach and without a wholesale PR turnaround their acquisition numbers could take months if not years to recover.
In Q3 2015, ThreatMetrix detected and stopped more than 90 million attacks in real-time; a ~20% increase over the previous quarter. As mobile transactions proliferate, cross-device usage has rocketed and customers are storing more personal information in online accounts than ever before, providing a fertile breeding ground for login attacks, which have risen 30% compared to the previous quarter.
At the same time, as companies are forced to cater to the ever more demanding and technically astute customer, lifetime value relies on online experience that is slick, streamlined and without friction.
“At least they didn’t get my bank details”
As cybercrime attacks increase, every piece of stolen information is another piece in the identity jigsaw for fraudsters. Digital identity can be knitted together with myriad pieces of stolen information from various data breaches, augmented by data for sale on the dark web.
Post-breach, organisations face the anxious wait to see how many customers cut and run. Even if customers feel reassured by the fact that bank account or credit card details were sufficiently encrypted to protect their money, with the ever increasing sophistication of phishing attacks, small pieces of personal information may be enough to dupe customers into believing communication is legitimate. This might lead to unknowingly downloading malware or entering sensitive information into a fake website.
Trust can be breached months down the line and customers who may have survived the initial breach lose faith and take their business elsewhere.
What is trust really worth?
Customer trust is crucial. In a post-breach world customers expect consistent and detailed assurance that their personal data is safe. Following a breach companies must ensure total parity of communication so that everyone in the organisation is giving the same, consistent information.
When a customer leaves, it isn’t just the cost of replacing them that the organisation must bear. They must also take into account their lost lifetime value. Loyal customers often spend more because they are more receptive to cross-sell and upsell than new customers. And loyal customers are also more likely to recommend the company: “recommend a friend” referrals are consistently seen as one of the best marketing tool a company has.
The reverse is true following a negative experience. Negative press combined with chatter about why a friend has defected to a competitor is enough to place a brick wall between your organization and a whole group of people who have been touched by one person’s identity breach.
How the ThreatMetrix solution trumps the hand of cybercriminals
In this climate, traditional identity-proofing methods are fast becoming ineffective, because fraudsters have too much power: they can steal or buy so much individual information that it is becoming harder than ever to pick out legitimate customers. Businesses need a layered approach which can bring together device identification, geolocation analysis, big data analytics, behavior analytics, telephone number and address validation, credit card fraud detection (when applicable), identity validation, and/or identity scoring.
ThreatMetrix has the largest repository of anonymized digital identities based on the shared intelligence from billions of daily transactions. The Digital Identity Network analyzes trillions of connections between devices, locations and various pieces of personal information to build a unique picture of trusted user behavior. No matter how detailed a fraudster’s faked / stolen digital identity may be, it can never compete with the scale and depth of the true digital identity that the network creates. This can provide organizations with the confidence and security they need to identify fraudsters from trusted users time and time again, protecting brand reputation, lifetime value and long-term revenue.