Ponemon said it is not just customers who pay attention to the reputation of an organization either. The failure to address security can affect a company's relationship with its partners. "If they know you're not serious about security, they may stop sharing information with you," he said.
Sudhakar agreed. "If you move from the consumer space to the B2B space, enterprises are very careful about who they partner with," he said. "They know that a breach of their intellectual property can have catastrophic consequences in terms of revenue and lost competitive advantage.
And, of course, cyber criminals are bound to notice even an unspoken message that a company is lax about security.
"Hackers opportunistically hack vulnerable enterprises first. The weakest bank, the weakest retailer, the weakest healthcare organizations get hacked first," Kausik said.
Finally, the liability costs of breaches could ramp up. "At some point we're likely to see more of these breaches make it up to the point of class-action suits and this will increase the loss potential of enterprises as well," Kraus said.
In general, experts say it is dangerous for any organizational leader to assume that breaches are rare. Many are not required to be reported publicly. And the mantra among security experts for years has been that there are two kinds of companies: Those that know they have been breached, and those that have but don't know it yet.
"You could make the argument that large corporations should not invest in fire insurance, sprinklers or smoke detectors because the risk of a fire is so remote," Sudhakar said. "But that is a fallacious argument -- businesses protect themselves from fires even if the possibility is slight."
Kraus compared breaches to cockroaches. "You see one, but do you not see the other thousand hiding in the walls or under the sink," he said. "I don't believe most CEOs actually understand the threats that are out there today.
"They excel at driving businesses to success and are very well versed in ensuring the enterprise is successful, but I do not put a lot of faith into most when it comes to approaching how to secure the organization."
Ponemon warns that a failure to address security can also turn a small problem into a big one. "The Anthem breach started with 10 or 20 records. But then they realized, 'Hey, no one's spotted us,' and it got much bigger. Hackers are trying to test the limits of our systems."
Kraus said security needs to be viewed more as an investment than a drain on the bottom line.
"I strongly recommend that organizations approach security using a tactical and strategic road map," he said. "It should be viewed as, 'This is the money we need to spend over the next three to five years, to save or mitigate losses, resulting in an expected return on investment.'"
Sign up for Computerworld eNewsletters.