You never think your company will suffer from a data breach – until it does. Recently, this cybersecurity warning has been given often enough to be considered a cliché. But there’s a reason people say it. Scan the headlines and you’ll likely see multiple stories detailing massive data breaches resulting from cyberattacks. There are countless more that never make the news. Data breaches carry devastating, long-reaching consequences, and any company, regardless of size or industry, could be at risk of becoming a victim.
Here’s what you need to know about the impacts of a data breach and how to help protect your organization if one happens to you.
Contrary to what some might believe, a company’s size doesn’t necessarily affect its ability to be targeted. Although the media focuses on high-profile cases, middle-market and smaller companies are just as likely to be victims. A 2021 cyber claims study found that 99% of cyber insurance claims analyzed are made by companies with annual revenues of less than $2 billion.1 This might be because larger organizations often invest more in their cybersecurity, so fraudsters see smaller businesses as easier targets.
That being said, one of the biggest threats to a company isn’t its lack of security technology; it’s their people. Verizon’s 2022 report on data breaches found that 82% of reported incidents involved “the human element,” whether through stolen credentials, malware, phishing attacks, or human error.2
All it takes is an employee clicking a fake link in an email or downloading malware masquerading as a software update. Once a fraudster successfully infiltrates a company's network, they have free reign to demand a ransom for hijacked data and leak confidential records. Here's what that can cost you.
The Financial Cost
The average cost of a data breach in 2021 rose to $4.24 million, the highest figure recorded in 17 years.3 These costs involved everything from notifying customers to paying damages and fixing compromised systems, not to mention the cost of operational downtime and compliance fines.
Companies falling victim to a breach may also face higher bank lending costs. According to a study on the financial consequences of breaches by The Accounting Review, companies that suffered a data breach face increased loan covenant costs and additional collateral requirements,4 especially those in industries with increased regulations and customer data sensitivity, such as healthcare.
Data breaches can also result in lawsuits, meaning companies can also expect to pay considerable legal fees. All of this adds up to a financial mess companies could spend years unraveling.
The Operational and Reputational Costs
Companies might recover financially from a data breach, but recovering their reputation is another matter. Customers’ trust in a company is eroded when their personal and financial information is compromised. Depending on how widespread news is of your breach, retaining customers and gaining new ones could be a costly challenge.
Cybersecurity attacks can also severely impact a company’s ability to perform its core functions. Hours or days of downtime from ransomware, distributed denial of service (DDoS), or other attacks can keep companies from accessing critical data, paying vendors and employees, and fulfilling contractual obligations.
Finally, there are regulatory consequences of data breaches. In the last several years, concerns over consumer data use have led to the enactment of strict data privacy laws and standards, including the Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), and Personal Information Protection and Electronic Documentation Act (PIPEDA). Failure to comply with these laws and standards could result in further fines and complications, especially when a breach occurs.
How To Protect Your Business
Avoiding a security incident or breach altogether is ideal. However, current trends indicate that it is likely not a matter of if, but when. It is nearly impossible to try to prevent every type of attack, so focusing on risk management is key to success. Companies should use risk management to align focus on strengthening and hardening their security hardware, software, standards, and policies, and developing an Incident Response plan.
Here are ten best practices to help mitigate the risk posed by cyber threats:
- Create an incident response and crisis response plan. Develop a plan for responding to incidents and designate those who will be responsible for executing it, as well as key stakeholders and decision-makers. Use tabletop exercises to test the execution of response plans and develop a culture that approaches cybersecurity as a business risk.
- Be proactive with cybersecurity awareness training. Threat actors commonly target employees through social engineering attacks, such as phishing, vishing, smishing, and business email compromise (BEC).To combat these threats, empower and encourage a culture of awareness to help your employees identify and report suspicious communications. Every member of the company should know their role in cybersecurity, regardless of their technical knowledge.
- Implement detective and preventative measures in your environment. Ensure corporate devices have anti-malware software installed and regularly updated. Use a firewall to protect the enterprise network and encrypt traffic where possible. Enable audit logging and use a SIEM (Security Incident & Event Management) to aggregate and correlate data to better detect and respond to incidents. Consider a Managed Security Provider (MSP) to provide 24/7 monitoring and response. Ensuring real-time visibility across your enterprise will allow for quicker identification and response to threats.
- Back up important business data and information. Perform automatic and continuous backups of critical data, such as databases, financial files, spreadsheets, human resource files, accounts receivable/payable files, and core IT configurations. Use additional layers of protection for these backups, such as physical security, offline copies of backups, and encryption. Backups of critical data provide a layer of business continuity that will be beneficial in the event of a ransomware or destructive malware attack.
- Implement identity and access management (IAM) policies. Enhance your authentication security controls by enforcing complex passwords that are regularly changed and implementing multifactor authentication (MFA) for privileged, administrative, and remote access users. MFA requires a user to provide two or more verification factors to gain access to a system.
- Understand the security posture of your IT environment. Perform routine vulnerability assessments of your environment to identify critical vulnerabilities and insecure configurations that may exist. Then, implement policies and standards to ensure they are appropriately patched and remediated. Software and hardware vulnerabilities, especially those that are publicly accessible, are often easy targets for attackers and may provide an unauthorized entry point into the network.
- Control physical access to computers and network components. Laptops, mobile devices, and iPads are easy targets for theft and often contain confidential data. Consider taking measures to prevent unauthorized individuals from physically accessing corporate assets.
- Identify and protect sensitive information. Create and enforce corporate policies for where personally identifiable information (PII) and other sensitive data is held, including which applications can process that information. Enable security controls on those critical assets and applications to help prevent the data being mistakenly or intentionally passed along to unauthorized parties.
- Increase information sharing and collection. With the continuously evolving threat landscapes that companies face, it’s crucial to remain current on new threats via news sources or other open-source intelligence (OSINT) data sources. Develop a network of trusted relationships with peer companies and government agencies. Doing this will help enable vigilance, situational awareness, and agile responses to new cybersecurity trends and threats that arise.
- In the event of an incident, act quickly. Identify and address the root cause of the security incident as swiftly and diligently as possible. Secure your systems and take measures to protect the rest of your data. Develop strong escalation procedures to quickly communicate with outside partners such as vendors, government responders, and technical advisors.