The effects of a data breach and how to prevent them
2018’s data breach sweep of Facebook, Google, and Amazon marked a new level of consciousness of the impending threat of data breaches worldwide. Combined, all three breaches affected over 200 million account holders and cost a total of over $5 billion in damages. Although the data breaches swarmed the headlines last year, it was just the tip of the iceberg of 2018 hacks that affected everyone from local startups to established enterprises.
According to IBM’s/Ponemon’s annual Institute Study, the average cost of a data breach is $3.92 million at $242 per stolen record. The same study also estimated that a company has nearly a 30 percent chance of getting hit with a data breach within two years of the previous incident (think Facebook). It should also be noted that although the major corporations make the headlines, 58 percent of all data breaches hit small to midsize businesses.
No company in existence is too small or too large for a security breach, and the costs can be devastating. Outside of internal inquiries and compliance issues, the financial fallout from a network break-in is widespread and almost impossible to recover. Here are some of the costs of a data breach that many companies never see coming.
While all companies suffer from internal costs (investigations, infrastructure updates, employee retraining, etc.), the greatest economic damage stems from lost business. According to Cisco’s 2018 Annual Cybersecurity Report, companies hit with a data breach report the following:
- 29 percent of companies lost more than 20 percent of revenue.
- 42 percent of companies lost more than 20 percent of new business.
- 40 percent of companies lost 20 percent of their customers.
- 23 percent of companies lost potential business opportunities.
Most business owners do not realize the weight of public scrutiny after a cyberattack. When it comes to security and privacy, perception is what governs public trust in a company’s infrastructure. So, it doesn’t matter if the company is to blame for the breach. The organization has lost the confidence of its customers, shareholders, business partners, and the public at large. The fallout affects their bottom line.
Case in point: the infamous Yahoo Breach of 2013 – still the biggest data breach of the 21st century – affected over three billion users. Before the breach, Yahoo was valued at $100 billion. After the breach, Verizon bought out Yahoo at $4.48 billion. The former search engine giant never recovered from the incident.
Although user error is still the leading cause of cyberattacks, one of the main reasons why hackers penetrate a network is outdated technology. As such, when a breach occurs, companies are forced to rethink their infrastructure. What should have been a preventative compliant measure turned into a costly response.
Many of the costs associated with an IT disaster recovery plan include updating Microsoft operating systems and software, replacing outdated equipment, and either expanding the in-house IT department or outsourcing to an IT company. Some companies may have to undergo a comprehensive digital transformation from on-site data storage to cloud-based services and data recovery solutions. Businesses may also have to revamp their online platforms and account software systems to ensure customer security and privacy.
For smaller businesses, these updates can turn into a six-figure expenditure. Enterprises are looking at millions of dollars to rebuild their networks. One thing is for sure: the cost to restore any network is far higher than taking preventative measures.
Even companies that rely on outsourced IT or cybersecurity still rely on their employees to engage in safe online practices. Yet, many companies fail to properly train their employees to identify cyber threats or use the internet securely. As a result, nearly 50 percent of all cyberattacks result from employee error – more specifically, negligence or accidental data loss.
The typical starting cost for a preventative security awareness program for 50 to 100 employees is between $1,000 and $5,000. By contrast, the cost to retrain employees after an attack can be as high as $100,000. Why the difference? Because retraining usually involves onboarding everyone with a wholly reframed infrastructure. Hidden costs often include lost productivity, technology training, and additional pay for overtime.
For many companies, a breach is a springboard for a digital transformation that includes installing new equipment, media, communication systems, or cloud platforms. In some cases, a company may overhaul its entire infrastructure. Bringing everyone along in the process requires immense organization, time, resources, and funding.
How to Prevent Data Breaches
Regardless of the measures that a company takes to safeguard their network, there is never a guarantee that it won’t get hacked. Cybercriminals are adept at exploiting emerging technology almost as fast as developers are at securing it. However, both small businesses and enterprises can take steps to mitigate the risk of a cyberattack. Some of these steps include:
Large corporations with data centers may find it more practical to accommodate an in-house IT department. For small to midsize businesses, however, outsourcing to a managed IT or cybersecurity company has several benefits. Outsourcing reduces facility and labor costs. Business owners can work with specialists who are trained, certified, and experienced in IT and cybersecurity.
IT companies also provide real-world solutions for scalable infrastructures, business continuity, data recovery, insider threats, and breach prevention. Plus, businesses benefit from 24/7 monitoring and instant response when cyberthreats occur.
Data Recovery and Protection
Data is the core element in every network. Therefore, companies must be proactive in protecting and restoring data at all costs. In today’s volatile cyber climate, the best way to protect data is to take it off-site and put it on a cloud platform. An IT team should also take the following measures:
- Make sure the data is accessible and recoverable off-site in case of a disaster.
- Update all Microsoft OS software and hardware.
- Use layered protection such as an intrusion detection/prevention system (IDS/IPS), VPN, malware blocker, antivirus, and a firewall.
- Make sure that all users (employees, partners, customers) IDs, passwords, and access are updated.
Provide Staff with Ongoing Training
Cyber technology is always evolving. Therefore, training a workforce in cybersecurity should be ongoing. Any training program should begin with having a game plan for onboarding before any new software or devices are implemented. Doing so after the fact can leave a company vulnerable to an attack during the training phase.
Companies also need to establish clear and easy-to-remember protocols for security. For instance, usernames and passwords should be created by the IT department, not the employee. Other considerations include network access, threat reports, remote device access, onboarding/outboarding, online restrictions, email restrictions or configurations, and software use.
As cyberthreats continue to grow, businesses need to get aggressive about protecting their digital assets, as well as their employees and the people they do business with. Cybersecurity is paramount and should be a top priority for any organization. Cybersecurity does more than mitigate risk — it creates a sustainable model that promotes corporate growth and healthy business relationships.
Written by: Indiana Lee, BOSS contributor