Another reason that the leaders of large corporations may figure that it is not worth the effort and cost to improve security is that brand damage is apparently not long-term. The public, increasingly accustomed to hearing about major hacks and data breaches on a regular basis (more than 100,000 IRS taxpayer records compromised and the breach of 4 million employee records from the U.S. Office of Personnel Management are just two recent examples), may view it as a "new normal."
But for companies outside the Fortune 1000 level, the net cost of the breaches can still hurt a lot, Ponemon said.
That is the message from other studies of data breach costs. A 2014 report by New York Attorney General Eric Schneiderman titled "Information Exposed: Historical Examination of Data Breaches in New York State" that covered the years 2006-2013, described their costs as, "nothing short of staggering," noting that the combined losses in 2013 alone for organizations doing business in New York were $1.37 billion.
And those costs keep going up. Ponemon's most recent report found that the average total cost of a breach had increased 23% over two years, to $3.79 million. For a corporation worth billions, that is not much, he agreed, but said it amounts to significant money for the vast majority of smaller organizations.
Beyond that, experts say that the "soft costs" of data breaches, even for really big companies, can go far beyond the direct costs reported, meaning it is not as "cheap" as it appears.
Some estimates of the total costs of the Target breach range to more than $1 billion, including a drop in profits of 46% in the fourth quarter of 2013 compared to the year before.
Other costs cannot be quantified directly, but can still be significant, such as lost future sales.
"We cannot simply look at potential loss based on the number of compromised records," said Rob Kraus, director of research at Solutionary. It also has to include, "the impact of consumers who were looking to make purchases in the future -- new consumers."
Muddu Sudhakar, CEO of Caspida, also said there are costs that may be hard to calculate since they occur over time. "Data breaches have multiple costs -- direct breach recovery, lost revenue, contractual risks, reputational damage, and lost competitive advantage when intellectual property is compromised," he said.
And, of course, they can have a very direct impact on company leaders. The CEOs of both Target and Sony resigned following the breaches of their companies.
Nat Kausik, CEO of Bitglass, added that in industries outside of retail, such as healthcare and financial services, "data breaches can have significant penalties associated with loss of compliance."
Sign up for Computerworld eNewsletters.