This One Tech Mistake Could Cost You $5M

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.inc.com/john-brandon/this-one-tech-mistake-could-cost-you-5m.html

Your business data is the most precious thing you own--really. Think about
it: Your customer records, your financial transactions, your business
knowledge, your private employee information. Without this data, your
company would collapse in a giant heap.

In an independent study conducted last year by the Ponemon Institute and
sponsored by IBM, those surveyed revealed a shocking truth about data
breaches. We already know the costs of a breach can be astronomical--e.g.,
fines for a violation in the health care sector can easily run up to six
figures or more. Yet, the survey found that reputation management costs
after a data breach can run as high as $5M per infraction.

What is reputation management?

Small companies often go to any means necessary to restore a damaged
reputation--new advertising campaigns, adding security services, posting to
social media. Lost trust with customers, employees, and vendors has to be
rebuilt. Restoring a reputation to the level of confidence it enjoyed
before the breach can cost more than the breach itself. It's a process that
often requires help from consultants, social media gurus, and security
experts.

The survey found that, while a breach might be a one-time event--e.g., the
Target fiasco in which credit and debit card numbers were stolen in
2013--repairing a corporate reputation can take several months or even
years.

"The strong linkage to business continuity management will allow a company
that has already suffered a data breach to rebound more quickly and more
smoothly--and that can save some of the negative impact to reputation,"
says Laurence Guihard-Joly, an IBM spokesperson for data continuity.
"Business continuity enables a faster and more agile recovery, which in
turn reduces the impact to reputation [losses]."

What's the harm?

Guihard-Joly listed a few examples of post-breach issues. If customers are
not able to log in to a site after a breach, they might take their business
elsewhere. Once a retailer is seen as vulnerable, more criminals might try
to commit fraud unrelated to the data breach itself. If an IT services
company has a network outage that results from a data breach, vendors might
wonder if the company is lacking in other areas.

It is possible to minimize the costs associated with reputation problems
caused by a data breach, as long as there is a plan on how to resolve the
issues quickly. Letting problems linger--e.g., not fixing a login to a
secure site quickly to ensure that a financial institution is not
vulnerable to further attacks--means the reputation issues also stay
unresolved.

Winning them back

According to Guihard-Joly, there is a high cost associated with winning
back the trust from customers and vendors, and the reputation-management
payouts can run as high as $100M for a severe incident. "These costs
include the idle time of users [not being productive], the forensics used
to determine the cause of the outage, technical support to restore the
systems and data, reputation and brand damage, lost revenue, and compliance
or regulatory failure," he says.

Many small businesses forget about the dangers of a security breach and
hope it never happens, he says. They don't put a disaster recovery process
in place and don't test the process to make sure the company can regain a
foothold.

Back in business

Another shocking revelation from the study last year had to do with the
number of companies that didn't bother with any continuity plan at all.
According to the study, 31% of small businesses do not have a plan on how
to recover from a data breach. Another 26% have a basic plan in place but
it is untested and unverified.

"Smaller, unregulated businesses may choose to take a risk or they put
recovery plans in place, but then through budget cuts and attrition, the
people leave that developed the processes and procedures," says
Guihard-Joly. "Those who step in don't test and they may think they are
covered, but they are not. They are one event away from experiencing
catastrophic damage to their reputation and significant financial damage to
their business."

Of course, the ultimate solution is to create a continuity plan--e.g., to
know exactly what steps you will take if a data breach occurs and have a
plan for restoring a reputation in addition to the security infrastructure
you use to prevent the breach. The faster that happens, the less cost
overall for the data breach. Those who fail to create a recovery plan are
the ones who end up headlining the evening news.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!