Your small to mid-sized company is beginning to do well, and recovering slowly from the economic downturn over the last several years. You’ve even reinstated one of your favorite amenities from the past, being picked up in a stretch limousine or town car and driven back and forth to work daily. You get so much work done during those times. The quietness of the limo allows your mind to enter into new areas and wonder; Have we maximized our marketing efforts? Could we improve our supply chain? Have we addressed all of the risks our business could face? Is our network vulnerable to being hacked?
One of the most costly consequences of being hacked by a cyber criminal is how much is it going to cost to clean up the mess? Target, the retail chain store’s profits fell by 46% . By their own estimation it’s going to cost them $148 million to fix all the issues. Which means replacing all their credit card terminals in 1600 stores. Plus they had to provide credit card protection subscriptions to 40 million Target Customers affected by the breach.
That’s a very large public example. If you have a small company and don’t retain or handle any credit card data, what’s the worse that could happen? The Ponemon Institute released a survey entitled “The Business Impact of a Data Breach.” Over 700 Chief Executives (CEO, CIO, CTO, COO) and IT security officers participated in the survey.
85% of respondents admitted that they had experienced a data security breach. 82% did not consult with a lawyer prior to reacting to the incident, as they had no prior response plan in place.
Key findings from the survey:
• More than 85% of respondent organizations reported that they have experienced a data breach event.
• Of those organizations, less than 43% had an incident response plan in place, and 82% failed to consult with legal counsel before responding to the incident.
• Following a breach, 46% of organizations still failed to implement encryption technology on portable devices.
• 95% of businesses suffering a data breach were required to notify data subjects whose information was lost or stolen.
• 97% were required to notify under state statutes.
• 58% were required to notify under federal privacy acts such as HIPAA and GLBA.
• Organizations that suffered data breach actually employ substantially more IT and data security measures than organizations that did not experience a data breach.
• 37% of respondents say their organizations sent blanket notifications, rather than precise notifications.
• Organizations experiencing a data breach incurred costs across the board.
• 74% report loss of customers.
• 59% faced potential litigation.
• 33% faced potential fines.
• 32% experienced a decline in share value
• Almost half of the breach incidents were attributed to lost or stolen equipment such as laptops, PDAs, and memory sticks. The second largest threat came from negligent employees, temporary employees, and/or contractors.
• Despite the frequency of data breach events, 42% of respondents claim their organization’s IT security spending will remain the same in the coming year.
These results demonstrate that businesses of all sizes are lacking the proper policies, procedures and controls necessary to mitigate the potential and probably legal issues they’re facing. Notification of customers, vendors and regulatory agencies, of a breach is a very costly to businesses. The upfront costs of informing those affected by the breach and the cost of the breach investigation, plus the cost of controlling the breach all have to be taken into consideration. I know of one cyber security forensics firm that charges $10K just to walk in the door. With eventual costs running into the hundreds of thousands.
And many company’s face potential litigation and fines, along with the intangible costs related to the damage of the corporate brand, loss of customers, and decline in share value and reputation management. Data breaches in the US and around the world are growing at an alarming rate. We hear about a new breach weekly, if not daily. Former FBI Director Robert Muller said during a Senate hearing “There are only two types of companies: Those that have been hacked and those that will be.” It’s just a fact of life. When anonymous server networks can hide the identity of the cyber criminal, there is nothing to stop them from becoming increasingly smarter, craftier and more numerous. This new threat must be added to every company’s conversation of risk management.
Develop a plan to implement:
• stakeholder/sharholder communications
• determine all the ways your finances would be impacted
• develop a proactive crisis communication response plan
• develop a time-line for executing the plan
• consider crafting a different message to different types or levels of clients and employees
• Consider using a Special Crisis Communication Firm
• Look into adding a cyber security loss rider to your companies insurance policy
• Budget for the event
Consult with a legal professional to develop and customize policies and procedures that fits your organization’s profile. Before you do anything else hire a cyber security firm to do a cyber risk analysis. These should be your first steps in mitigating this new pervasive risk to your business.