Do you know what it would cost your business if you fall victim to a cyber attack? Data security breaches are a factor of our everyday lives, many of which do not get the press attention that the likes of TalkTalk, Marks and Spencers and travel agents Thompson have attracted in recent months.
While your company may be fortunate in avoiding the headlines if you do have a data breach, the damage is still likely to be significant. Large or small, UK businesses must be proactive in how they combat cyber threats, and ensure they are doing everything possible to reduce the impact these can have on their business and profitability.
Cost Of A Data Security Breach Has Doubled For Small Businesses
The 2015 Information Security Breaches Survey produced by the Department for Business Innovation & Skills makes for sobering reading. Security breaches have increased for both large and small organisations, with 90% of large organisation reporting having suffered a security breach in 2014. For small businesses the increase in the cost of a single data breach is significant, doubling in the last two years from an average worse security breach of £35 – £65k in 2013, to £75 – £311k in 2015.
59% of respondents expect to see more security incidents in the next year than the last. Organisations need to ensure they have the right defences in place to counteract this expected increase. Interestingly 28% of correspondents cited that a ‘lack of priority’ from senior management was a contributing factor in their single worst breach. In my experience this lack of priority often means that while security measures are in place within an organisation, poor communication and implementation is often the reason for the data breach, a top down approach is needed.
One way of ensuring that security does become a top priority in your organisation is to understand how a serious data breach can impact on your business. Where do figures such as £311k come from, or in the case of large organisations £600k – £1.15m?
Of course these figures vary depending on the nature of the data breach and the industry targeted. For example, a data breach involving a healthcare organisation is likely to cost more than one affecting a retailer because of the type of data each organisation stores and the regulatory landscape.
Typically these factors contribute to the overall cost of a data security breach:
- Investigation: Whether carried out in-house or by an external provider, a team needs to determine how the system was compromised and what data was affected
- Remediation: Having identified how the breach happened and ensured that there is no malware still undetected in the system, measures need to be taken to prevent a similar breach from occurring again
- Notification: Depending on your business and the nature of the data breach you must notify those affected. You may also need to notify industry regulators, the media and the police. Consider how much it might cost to send out a notification by first-class post to all your customers
- Identity-theft repair and credit monitoring: As a result of the recent TalkTalk data breach customers have been offered a year’s worth of credit monitoring by the telecoms organisation
- Business disruption: system downtime prevents normal business activities, resources may also have to be diverted to dealing with the data breach and key employees taken away from their core competencies
- Lost sales: including abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill
- Recovery of assets: these may include lost data, and corrupted software or systems
- Fines and compensation: depending on your industry, your organisation may be subject to fines from regulators. Those affected by the data breach may also be eligible for compensation, or you may be at risk of legal action and the costs associated with that
If the above has given you some food for thought, what are the next steps to take to ensure that your organisation is doing all it can to avoid the costs associated with a data breach by reducing the likelihood of an attack?
How To Prevent Data Security Breaches
Firstly, I would recommend a comprehensive security risk assessment to identify areas that may be at risk. Naturally any unprotected weaknesses in your IT infrastructure and network security should be addressed immediately.
Policies should also be put in place within your organisation to ensure that employees, contractors and suppliers are aware of your organisation’s risk management boundaries, and the acceptable and secure use of your organisation’s ICT systems. Clear communication, training and regular security awareness activities should all be part of your ongoing cyber security measures.
Plans should be put in place to manage breaches if they occur. This should include incident response, disaster recovery and business continuity plans.
The government has produced a cyber security document aimed at UK businesses called 10 Steps: 10 Critical Areas. This gives further guidance on reducing the risk of cyber attack and managing incidents.
In all probability most businesses will experience an information security incident at some point, but the risk can be managed and therefore the impact on your organisation reduced.
If you would like to discuss any of this with me, or member of the team, contact us on 0845 507 0846.