[BreachExchange] The Hidden Costs Your Business Incurs from a Data Breach
Destry Winant
destry at riskbasedsecurity.com
Wed Nov 13 10:11:21 EST 2019
https://thebossmagazine.com/data-breach-threats/
2018’s data breach sweep of Facebook, Google, and Amazon marked a new
level of consciousness of the impending threat of data breaches
worldwide. Combined, all three breaches affected over 200 million
account holders and cost a total of over $5 billion in damages.
Although the data breaches swarmed the headlines last year, it was
just the tip of the iceberg of 2018 hacks that affected everyone from
local startups to established enterprises.
According to IBM’s/Ponemon’s annual Institute Study, the average cost
of a data breach is $3.92 million at $242 per stolen record. The same
study also estimated that a company has nearly a 30 percent chance of
getting hit with a data breach within two years of the previous
incident (think Facebook). It should also be noted that although the
major corporations make the headlines, 58 percent of all data breaches
hit small to midsize businesses.
No company in existence is too small or too large for a security
breach, and the costs can be devastating. Outside of internal
inquiries and compliance issues, the financial fallout from a network
break-in is widespread and almost impossible to recover. Here are some
of the costs of a data breach that many companies never see coming.
Lost Business
While all companies suffer from internal costs (investigations,
infrastructure updates, employee retraining, etc.), the greatest
economic damage stems from lost business. According to Cisco’s 2018
Annual Cybersecurity Report, companies hit with a data breach report
the following:
29 percent of companies lost more than 20 percent of revenue.
42 percent of companies lost more than 20 percent of new business.
40 percent of companies lost 20 percent of their customers.
23 percent of companies lost potential business opportunities.
Most business owners do not realize the weight of public scrutiny
after a cyberattack. When it comes to security and privacy, perception
is what governs public trust in a company’s infrastructure. So, it
doesn’t matter if the company is to blame for the breach. The
organization has lost the confidence of its customers, shareholders,
business partners, and the public at large. The fallout affects their
bottom line.
Case in point: the infamous Yahoo Breach of 2013 – still the biggest
data breach of the 21st century – affected over three billion users.
Before the breach, Yahoo was valued at $100 billion. After the breach,
Verizon bought out Yahoo at $4.48 billion. The former search engine
giant never recovered from the incident.
Infrastructure Restoration
Although user error is still the leading cause of cyberattacks, one of
the main reasons why hackers penetrate a network is outdated
technology. As such, when a breach occurs, companies are forced to
rethink their infrastructure. What should have been a preventative
compliant measure turned into a costly response.
Many of the costs associated with an IT disaster recovery plan include
updating Microsoft operating systems and software, replacing outdated
equipment, and either expanding the in-house IT department or
outsourcing to an IT company. Some companies may have to undergo a
comprehensive digital transformation from on-site data storage to
cloud-based services and data recovery solutions. Businesses may also
have to revamp their online platforms and account software systems to
ensure customer security and privacy.
For smaller businesses, these updates can turn into a six-figure
expenditure. Enterprises are looking at millions of dollars to rebuild
their networks. One thing is for sure: the cost to restore any network
is far higher than taking preventative measures.
Employee Training
Even companies that rely on outsourced IT or cybersecurity still rely
on their employees to engage in safe online practices. Yet, many
companies fail to properly train their employees to identify cyber
threats or use the internet securely. As a result, nearly 50 percent
of all cyberattacks result from employee error – more specifically,
negligence or accidental data loss.
The typical starting cost for a preventative security awareness
program for 50 to 100 employees is between $1,000 and $5,000. By
contrast, the cost to retrain employees after an attack can be as high
as $100,000. Why the difference? Because retraining usually involves
onboarding everyone with a wholly reframed infrastructure. Hidden
costs often include lost productivity, technology training, and
additional pay for overtime.
For many companies, a breach is a springboard for a digital
transformation that includes installing new equipment, media,
communication systems, or cloud platforms. In some cases, a company
may overhaul its entire infrastructure. Bringing everyone along in the
process requires immense organization, time, resources, and funding.
How to Prevent Data Breaches
Regardless of the measures that a company takes to safeguard their
network, there is never a guarantee that it won’t get hacked.
Cybercriminals are adept at exploiting emerging technology almost as
fast as developers are at securing it. However, both small businesses
and enterprises can take steps to mitigate the risk of a cyberattack.
Some of these steps include:
Outsourcing IT
Large corporations with data centers may find it more practical to
accommodate an in-house IT department. For small to midsize
businesses, however, outsourcing to a managed IT or cybersecurity
company has several benefits. Outsourcing reduces facility and labor
costs. Business owners can work with specialists who are trained,
certified, and experienced in IT and cybersecurity.
IT companies also provide real-world solutions for scalable
infrastructures, business continuity, data recovery, insider threats,
and breach prevention. Plus, businesses benefit from 24/7 monitoring
and instant response when cyberthreats occur.
Data Recovery and Protection
Data is the core element in every network. Therefore, companies must
be proactive in protecting and restoring data at all costs. In today’s
volatile cyber climate, the best way to protect data is to take it
off-site and put it on a cloud platform. An IT team should also take
the following measures:
Make sure the data is accessible and recoverable off-site in case of a disaster.
Update all Microsoft OS software and hardware.
Use layered protection such as an intrusion detection/prevention
system (IDS/IPS), VPN, malware blocker, antivirus, and a firewall.
Make sure that all users (employees, partners, customers) IDs,
passwords, and access are updated.
Provide Staff with Ongoing Training
Cyber technology is always evolving. Therefore, training a workforce
in cybersecurity should be ongoing. Any training program should begin
with having a game plan for onboarding before any new software or
devices are implemented. Doing so after the fact can leave a company
vulnerable to an attack during the training phase.
Companies also need to establish clear and easy-to-remember protocols
for security. For instance, usernames and passwords should be created
by the IT department, not the employee. Other considerations include
network access, threat reports, remote device access,
onboarding/outboarding, online restrictions, email restrictions or
configurations, and software use.
As cyberthreats continue to grow, businesses need to get aggressive
about protecting their digital assets, as well as their employees and
the people they do business with. Cybersecurity is paramount and
should be a top priority for any organization. Cybersecurity does more
than mitigate risk — it creates a sustainable model that promotes
corporate growth and healthy business relationships.
More information about the BreachExchange
mailing list