- When is a data breach coming?
- 3 ways incident response protects organizations
- Dealing with the inevitable and avoiding the rest
Read more below.
Safeguard Brand Value with Privacy Best Practices
According to the latest Ponemon Institute Cost of a Data Breach Report, lost business costs account for the largest share, by far, of the average cost of a data breach: about 40%. According to Cypress Data Defense, breaches caused customer turnover of as much as 3.9% in 2019, and 62% of Americans claim they would stop spending money with an organization for months as a result of a data breach. Of the 29 percent of businesses that lose revenue after a breach, 38% experience a loss of 20 percent or more.
As the Buddhist saying goes, “Pain is inevitable. Suffering is optional.” In this information-driven world, data breaches are inevitable, but negative business impacts can be mitigated by effective incident response. According to Ponemon, the average total cost of a data breach for companies with an incident response team and a tested incident response plan using tabletop was $3.29 million, compared to $5.29 million for companies with neither an incident response team nor tests of the incident response plan — a difference of $2 million.
While the Ponemon report doesn’t say how incident response can lower breach costs by almost 40%, there are plenty of ways an incident response team can help minimize the business impacts of a breach.
Better Incident Response Protects Customers and the Business
We usually think of incident response in the context of compliance, but it can also have a profound impact on how an organization is perceived by customers and the public. Here are just a few ways the incident response team can protect the organization:
- Speed of investigation and assessment: Fast, accurate incident investigation and assessment not only helps in meeting regulatory deadlines but also gives management and public relations the information and time they need to plan how to handle announcements and other communications about a breach.
- Accurately assessing risks to the affected population: If an incident affects an especially vulnerable population, such as children or seniors, or an especially visible population, such as celebrities or public figures, it’s important to know that and communicate it to decision-makers so they can make decisions whether to take extra mitigation measures and/or tailor notifications and how to account for the special circumstances in their communication strategy.
- Avoiding over- or under-reporting: Of course, you don’t want to fail to notify regulators or affected individuals if notification is required, and you don’t want to miss notification deadlines. But you also don’t want tight deadlines to push you into over-reporting, because that also risks your brand reputation. You could lose business if a potential customer or business partner did some research and found frequent breaches, or if a competitor or journalist decided to publicize your record. Your incident response process needs to be efficient and accurate enough to deliver the right notification decision in time to meet regulatory deadlines without risking the reputational consequences of over- or under-reporting. Using an automated incident response platform can help speed and accuracy of the process, as well as ensuring consistent decision-making that will protect your organization if regulators have questions. (Because regulatory fines also make the news.)
Dealing with the Inevitable and Avoiding the Rest
An analysis of reputational damage by Varonis used two extreme cases to illustrate the business impacts of data breach response. The retailer Target discovered its massive point-of-sale data breach within 16 days and reported it to the public 20 days later. They invested heavily in better security and publicized those efforts. While their consumer perception dipped immediately after the breach, it steadily recovered over the next four years.
In contrast, ride service Uber discovered a breach in October 2016 but paid the hackers to delete the stolen data, then didn’t disclose the breach for over a year. When it was disclosed, the company faced fines, seriously diminished public trust, and loud public criticism from numerous state attorneys general.
Of course, most breaches are not mega breaches like Target’s, and we would like to think that no organization responsible enough to have an incident response team would hide a major breach for a year. But the point remains, incident response can have profound impact on brand and business. A tested, consistent incident response process, an automated workflow to speed data gathering and decision-making, and an accurate multifactor risk assessment will give your organization the time and information it needs to handle incidents well and protect its reputation.
And a process that includes good metrics, ongoing analysis, and continuous improvement will help lower the number of incidents that have to be handled, minimizing both breach pain and reputational suffering. Because, if we’re mindful enough about incident response, not all pain is inevitable.
To make the case to prioritize incident response, try our free ROI calculator to identify the tangible value of operational efficiency.