Question

What are some to the hidden cost an organization need to deal with after a data breach? Use your own word

Answer 1

Detection, escalation, notification and post data breach response

The four main activities that follow a data breach are detection, escalation, notification and post data breach response – and they all mean additional costs to an organization.

Detection and escalation: Activities that enable a company to detect and report a breach to appropriate personnel within a specified time period.

• Forensic and investigative activities
• Assessment and audit services
• Crisis team management
• Communications to executive management and board of directors

Notification costs: Activities that enable the company to notify individuals who had data compromised in the breach (data subjects) as regulatory activities and communications.

• Emails, letters, outbound telephone calls, or general notice to data subjects that their personal information was lost or stolen
• Communication with regulators; determination of all regulatory requirements, engagement of outside experts

Post data breach response: Processes set up to help individuals or customers affected by the breach to communicate with the company, as well as costs associated with redress activities and reparation with data subjects and regulators.

• Help desk activities / Inbound communications
• Credit report monitoring and identity protection services
• Issuing new accounts or credit cards
• Legal expenditures
• Product discounts
• Regulatory interventions (fines)

Lost business cost: Activities associated with the cost of lost business, including customer turnover, business disruption, and system downtime.

• Cost of business disruption and revenue losses from system downtime
• Cost of lost customers and acquiring new customers (customer turnover)
• Reputation losses and diminished goodwill

This last point is important, as once an organization has lost the trust of their customers, it is very difficult to win it back, with 64 percent of consumers saying they are unlikely to do business with a company where their financial or sensitive data was stolen.

Increase in third-party website breaches

Aside from these figures, there are two other important points to take away from the findings:

• The percentage of malicious or criminal attacks as the root cause of data breaches in the report crept up from 42 to 51 percent over the past six years of the study, a 21 percent increase
• Breaches originating from a third party – such as a partner or supplier – cost companies $370,000 more than average

The increase in third-party vulnerabilities emphasizes the need for companies to closely vet the security of the companies they do business with, align security standards, and actively monitor third-party access.

Global beauty brand Sephora was forced to email online customers to inform them of that their personal information may have been exposed to unauthorized third parties, including first and last name, date of birth, gender, email address, and encrypted password, as well as data related to beauty preferences.

As this example demonstrates, your company website is one area where third parties can present an access point to your customers’ sensitive information – and yet it is often overlooked by the security team. However, it is important to mitigate any threat from third party vendors by creating an allowlist and a blocklist that allow you to only share data with trusted vendors.

With the loss or theft of more than 11.7 billion records in the past three years alone, the Ponemon report urges companies to be aware of the full financial impact that a data breach can have on their bottom line – and focus on how they can reduce these costs.

Speak to us about how we can help manage and secure all your third-party vendor technologies to prevent unauthorized data collection and prevent a potentially disastrous data breach within your organization.

Some more of the report’s headlines findings include:

• Malicious breaches: More than 50 percent of data breaches resulted from malicious cyberattacks and cost companies $1 million more on average than those originating from accidental causes
• Mega breaches: While less common, breaches of more than 1 million records cost companies a projected $42 million in losses; and those of 50 million records are projected to cost companies $388 million.
• Practice makes perfect: Companies with an incident response team that also extensively tested their incident response plan experienced $1.23 million less in data breach costs on average than those that had neither measure in place.
• U.S. breaches cost double: The average cost of a breach in the U.S. is $8.19 million, more than double the worldwide average.