Mike Moberly at kpstrat.com has been in the forefront of teaching IP protection strategies for some time. As we have written here often, valuators need to vet an organization’s IP security as part of any due diligence associated with IP valuation. However, as Mike will be the first to tell you, CFOs have difficulty translating protection costs into corporate benefits, especially on financial statements.
VentureBeat summarized the newly released “The Underground Economies Report” sanctioned by McAfee and SAIC (a follow-up to a 2008 report), wherein some numbers are assigned to the problem: on the average, a single data-breach episode now has a price tag of $1.2M, a whopping 46% increase over 2008.
The attacks can come from within or without. The article describes just two severe outside breaches as examples, and each goes by a military-operation-like moniker. “Operation Aurora” was an attack against Google and 30 other companies. “Night Dragon” was a series of systematic, coordinated cyber raids against oil, energy and petro-chemical companies. The latter allegedly Chinese-inspired attacks reportedly resulted in the collection of gigabytes of confidential information.
Beware the Enemy Within
The leaking of State Department cables and Bank of America’s internal documents to Wikileaks headline the internal breaches. Hackers can penetrate some of the largest, theoretically well-protected organizations in the world.
The report also discusses a trend that should alert valuators, that of storing sensitive data out of the country. There is additional security risk (and costs) attached to foreign storage, and there are countries deemed to be significantly less secure than others.
We are not blind to the motives behind a firm such as McAfee sponsoring such a report. Nonetheless, nothing we have seen strikes us as untrue, including one disturbing fact. Though 25% of the companies surveyed incurred a merger or product launch delay as a result of a data breach, not every company took measures to prevent a repeat occurrence. It remains difficult to quantify the ROI on protection expenditures. CFOs need to understand thinly protected intellectual property may not be obvious at any point in time on financial statements, but it will be reflected in valuation.