Only by understanding the real impact of a data breach on business can companies protect themselves
by James Pattinson, Vice President, EMEA, Absolute
The concept of a data breach is becoming worryingly common to anyone with even a passing interest in the news. While Ashley Madison’s business model may have helped propel its data breach into the headlines, it highlights the potentially far reaching impact of a public data breach.
Even with slightly less headline grabbing incidents, the impact can be beyond what anyone might expect. If we look at the fallout from the Target breach in 2014 for example, the ramifications are still playing out. In addition, public trust in the ability of large corporations to keep public data safe has never been lower.
The question is whether organisations fully understand the risks and consequences. It’s no longer a few negative articles in the press and a slap on the wrist from the regulator – data breaches, no matter how serious, can have lasting repercussions that seriously affect how a business operates and competes.
When a breach occurs, it can send shockwaves across an entire organisation, from the board down to the most junior of employees. But the damage isn’t always immediately apparent, and it can take months for the real effects of a breach to appear.
While there are countless ways a breach can damage an organisation, there are three main areas that experience significant repercussions, and these aren’t always the most obvious.
Financial – While this may seem like one of the most obvious effects of a breach, the actual financial damage goes beyond a loss of revenue or providing compensation to affected customers. Organisations have to take into account fines that can be issued by the regulator.
In the UK alone, the Information Commissioner’s Office can impose fines of up to £500,000, depending on the severity of the data breach. What’s more, when the European Union’s General Data Protection Regulation (EU GDPR) comes into force, the financial penalties will reach up to €100 million or up to 2% of annual global turnover – whichever is greater.
Of course, that’s only if the breach involves data from someone who lives in the UK or the EU. If the compromised data belongs to other nationals, the firm could face further fines.
Operational – By digitising, capturing and utilising data, organisations can put in place initiatives to transform business productivity and innovation.
Within an organisation, a breach can result in data paralysis, where employees and customers alike are too scared to embrace data-led initiatives. It can take months if not years for a business to get past data security concerns – making space for competitors to move in.
> See also: How to respond to a data breach
Reputational – The reputational impact of a data breach can be one of the hardest areas to measure, but also one of the most serious. The Ashley Madison breach, for example, has effectively crippled the business’ reputation, and may make it difficult to attract new customers and provide reassurance that their (highly personal) data is secure.
In the UK, consumer trust in the NHS and public sector has never been lower, and a recent report from Big Brother Watch claims that local authorities commit an average of four data breaches per day.
While it may seem that no organisation is safe, the Ashley Madison case shows that the reputational consequences of a serious leak of customer data can be unimaginable.
With all of this in mind, it is no surprise that the threat of data breaches is rapidly moving up the corporate agenda. According to research from the Ponemon Institute, 50% of businesses expect to increase their corporate cybersecurity spending over the next two years.
However, a knee-jerk reaction to imposing security measures in anticipation of a data breach can open up further vulnerabilities. If staff are too scared to handle their data correctly, or don’t know what polices and rules are in place, there’s a greater chance of something actually going wrong.
To tackle the data challenge, organisations need to take a holistic view of how they handle data. Existing processes simply won’t cut it in today’s data-rich environment. Key to this is a three-step approach incorporating data policies, staff training and data protection technology.
Your staff needs to know what they’re permitted to do with the data, the measures they need to protect it, and that there is a procedure in place that can limit the impact of the breach, should one occur.
Ultimately, a data breach is one of the most serious and increasingly common business threats, and it’s only by understanding the real impact of a breach that organisations can safeguard themselves.
James Pattinson, Vice President, EMEA, Absolute