Published on the 02/12/2020 | Written by Heather Wright
But if you wait until someone else lets the cat out of the bag…
‘Fessing up about that data breach isn’t just a possible legal imperative, it can result in a lower cost of mitigation – some 40 percent lower, in fact – according to a new report.
The How Businesses can Minimize the Cost of a Data Breach report, from cybersecurity vendor Kaspersky, claims SMBs who voluntarily inform stakeholders and the public about a breach are, on average likely to lose 40 percent less than those who see the incident leaked to the media. It’s a similar story for enterprises, who were found to experience 28 percent less financial damage when they were proactive about releasing the information.
In dollar terms Kaspersky says that amounts to estimated costs for SMBs of $93,000 if they disclose, versus $155,000 if an incident is leaked. For enterprises those who don’t take the initiative and proactively inform saw financial damage to the tune of $1.6 million, versus the $1.1 million for those who are upfront about the breach.
“Proactive disclosure can help turn things around in a company’s favour – and it goes beyond just the financial impact.”
Of course, in this day and age, honesty isn’t so much an option, as a legal requirement, with Australia and New Zealand mirroring other regions with mandatory notifiable data breach requirements in force.
In Australia, the Australian Privacy Commissioner moved last year to increase fines from $2.1 million for serious or repeated breaches to the greater of AU$10 million or three times the value of any benefit obtained through the misuse of information, or 10 percent of a company’s annual domestic turnover. Some 518 eligible breaches were reported in the first six months of 2020 in Australia.
New Zealand’s updated Privacy Act, which came into effect on Tuesday, also introduces mandatory breach notification, albeit with much lighter penalties for breaches: A maximum fine of NZ$10,000.
Legal ramifications aside, the Kaspersky report, which interviewed nearly 5,300 IT business decision makers across 31 countries, suggests companies which take ownership of the situation quickly, can mitigate damage.
What isn’t clear from the report is whether the companies suffer less loss because they actually disclose the event, or whether it’s tied more to the fact they’re more likely to be responsible anyway.
As to those surveyed, only 46 percent revealed a breach proactively, with 30 percent of those who had experienced a breach preferring not to disclose it. Twenty-four percent of companies tried to hide the incident but saw it leaked to the market.
“Proactive disclosure can help turn things around in a company’s favour – and it goes beyond just the financial impact,” says Yana Shevchenko, Kaspersky senior product marketing manager.
“If customers know what happened first-hand, they are likelier to maintain their trust in the brand.
Also, the company can give its clients recommendations on what to do next so that they can keep their assets protected.
“The company can also tell their side of the story by sharing reliable and correct information with the media, instead of publications relying on third-party sources that may depict the situation incorrectly,” Shevchenko says.
Quick detection of breaches also lowered the financial losses – 32 percent for enterprises and 17 percent for SMBs – with early identification giving businesses a better chance of avoiding public disclosure. Thirty-two percent of enterprises who took more than a week to discover a breach will see it exposed in the press, according to the report, compared to 19 percent if the breach is detected immediately. For SMBs it’s a similar scenario with the figures standing at 29 percent and 15 percent.
That doesn’t bode well for Australian companies. The Notifiable Data Breaches report for January to June 2020 saw 47 instances where those reporting the breach took between 61 and 365 days to become aware and assess that a data breach had occurred, while 14 took more than a year. The OAIC says 77 percent were able to identify a breach within 30 days of it occurring.
The report also found the cost of a data breach rose 47 percent in enterprises deploying outdated technology, and 54 percent in SMBs with older technology and that enterprises collecting customer data lose 62 percent more than peers who don’t. SMBs collecting customer data can expect to lose on average 37 percent more than counterparts who don’t.
So what’s a company to do on the comms side to ensure it can reduce the overall impact and financial damage of a data breach?
“Organisations that suffer a data breach cannot be complacent with how they manage the aftermath. As is the case with many corporate problems, there are both financial and reputational damages to consider,” Kaspersky says.
“There is not only potential for the cyber-attackers to use the information they have stolen for their own gain, but also the possibility that customers will lose trust in the targeted company and decide to take their business elsewhere.
The report advocates ensuring you have a special crisis management plan for cybersecurity incidents, including knowing in advance which systems and channels will be used to share information to ensure stakeholders aren’t left in the dark if hackers gain access to corporate emails or messenger platforms.
“If corporate communications teams understand a company’s cybersecurity response plan, they can deliver a clear and informative message to target audiences and the media – giving an organisation more control of the outcome of a breach.”