So you’ve had a data breach. You’re not alone – almost 25% of businesses defended against 7 or more cyberattacks in 2020. In the stressful aftermath of the incident, you’ll be relying on your incident response plan to get your business back on track and start your recovery. But you may not have included something in your plan – do you disclose a data breach to your clients, your partners, your suppliers or the public at large?
One major factor to consider is the cost in dollars and cents. SMBs that disclose a breach are looking at an average of $93,000 in costs. But that cost skyrockets if the breach is reported by the media first with a whopping $155,000 in damage. The cost for larger enterprises that disclose a breach are commensurate: a self-disclosed data breach runs about $1.13 million, but one that’s reported by the media first boosts that to nearly $1.6 million.
Do You Want to Know a Secret?
It goes without saying that a part of your incident response plan is to report your data breach to the required regulatory authorities, both in your government and in your industry. You may be legally required to inform clients or partners. But there are some hard choices to make about how you handle the circumstance and if it’s to your company’s benefit to disclose a data breach officially. By considering the positives and negatives of that calculus, it’s easy to see what the right decision is for every organization.
There are a number of negatives that your business faces by disclosing a data breach to the general public. While experiencing a data breach has grown significantly more common, it’s still an embarrassing and damaging incident. A Ponemon survey noted that 65% of consumers said a data breach had caused them to lose trust in an organization, and 27% discontinued their relationship with that company.
However, that changes substantially when considering your company’s reputation. As more non-tech folks become aware of the reasons that a company can suffer a data breach including nation-state hacking, public perception is changing. With hacking incidents becoming more common, firms that suffer from a data breach are increasingly being perceived as victims of cybercrime instead of irresponsible companies.
No one wants to tell the world that they’ve failed, but both regulatory requirements and savvy reporters almost guarantee that someone is definitely going to find out, especially if your data security incident involves nation-state hacking. Although companies do still try to deny or refuse to comment on data breach news reported by the cybersecurity press, it is always clear that they are not telling the truth, and that is not a good look for any business.
But as you are making your decision, consider what the downside(s) could be of disclosing a data breach:
- Your company suffers public embarrassment.
- The company will be criticized.
- Your company’s security practices will be scrutinized and flaws will be pointed out, as Twitter experienced after a wacky incident in 2020.
- It becomes something that pops up in a Google search.
- Your clients will know about it.
- Your competitors will know about it.
- The press is likely to report on it.
- You may have been able to sweep it under the rug, but not now.
- Your company’s reputation may be damaged.
- You may be impacted by the news of this incident in future transactions.
Even while recovering from a data breach incident, there are still a few positives that your business can reap from this situation. In an increasingly dangerous and tumultuous threat landscape, more businesses are experiencing cybersecurity incidents like a data breach than ever before – small and medium business data breach incidents are expected to rise by more than 40% this year.
What benefits could your business possibly wring out of a cybersecurity disaster? More than you think.
- You get the opportunity to control the narrative by setting out the facts about your incident and how your business is handling it.
- You get your message out ahead of stories that may be published by any industry press.
- Your company demonstrates a commitment to honesty and transparency
- You are more likely to save money in recovery costs.
- You demonstrate that your company does take cybersecurity seriously because you found the breach. This was recently a positive outcome for FireEye as the Solarwinds scandal began unfolding.
- You have an opportunity to communicate to your customers that you are taking action to prevent this from happening again.
- You can clearly communicate what remediation and prevention of further harm you are providing to your clients, like credit and identity theft protection or Dark Web monitoring.
The Bottom Line
When your business has experienced a cybersecurity problem like a data breach, every second counts in recovery, and that includes reputation management. After comparing the lists of positives and negatives, it’s easy to see that disclosing the incident publically, whether you and out a press release or make a company blog post, is the smart choice for every business.
Plus, as part of your disclosure, you can reassure your clients that you are addressing the issue that led to the breach. It is essential that you not only admit that the breach happened, you disclose how it happened and what you’re doing to fix that security pitfall. These tools can help you avoid future breaches and rebuild customer trust by showing that you’ve strengthened your security to keep it from happening again.
- Add multifactor authentication (secure identity and access management tops CISO priority lists for 2021 because it protects you from many kinds of cybercrime) to guard against phishing-related password theft and credential stuffing attacks.
- Add improved security awareness training including phishing resistance training with Optistar to reduce your chances of suffering another cybersecurity incident by up to 70% and build a stronger, more resilient cybersecurity culture.
- Add Optistar’s Dark Web Monitoring to stay on guard against account and password compromise with 24/7/365 human and machine-powered monitoring to make sure that you find out that your company’s credentials are for sale in Dark Web markets before the bad guys do.
Do you really want to wait until after a cybersecurity incident to take preventative measures against a cyberattack? No, you don’t – contact our security experts at Optistar today regarding how to make your company’s cybersecurity strong enough to withstand the pressures of today and tomorrow.