This summer, IBM and Ponemon Institute published a startling global study on how much data breaches cost businesses per year. With approximately 90 percent of cybersecurity incidents affecting small businesses and 1 in 5 companies having experienced a security breach thus far this year, this study illustrates how three major security vulnerabilities lead data breaches that can financially cripple your small business.
Data Breaches Cost U.S. Businesses Hundreds Per File
According to IBM and Ponemon Institute’s research, the average total cost of a data breach this year is $4 million, up from 29 percent since 2013. After analyzing 383 companies in 12 countries, the study found that the average total organizational cost of a data breach for U.S. businesses is $7.01 million.
The average global cost of a stolen record from a data breach is $158. Germany and the United States have the highest average cost for a stolen file, costing companies $213 and $221 respectively. It also goes without saying that the more records stolen during a breach, the higher the costs. For instance, a company could lose about $2.1 million for less than 10,00 compromised files, and up to $6.7 million for more than 50,000 compromised files.
Business Expenses During and After a Data Breach
The costs of an enterprise data breach go beyond the monetary costs of stolen files. Businesses could be financially crippled or completely destroyed by these recovery costs during and after a data breach:
- Notification costs: Notification costs refer to “IT activities associated with the creation of contact databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures, email bounce-backs, and inbound communication setup.” On average, a U.S. business could pay about $590,000 in notification costs.
- Detection and escalation costs: This includes costs from investigative activities, assessment and auditing services, crisis management, communication with executives and other stakeholders, etc. According to this report, notification-related activities cost U.S. businesses an average of $730,000. The average detection and escalation costs were the highest in Canada ($1.6 million) and France ($1.43 million).
- Post breach response costs: These costs include help desk services, inbound communications, special investigations, remediation, legal fees, product discounts, identity protection services, regulatory interventions, etc. According to this study, U.S businesses could pay an average $1.72 million in post data breach response costs.
- The loss of customers: One of the most damaging results of an enterprise data breach is lost business, which encompasses abnormal turnover rates, increased customer acquisition activities, reputation losses, and diminished customer loyalty. How much could a business pay up for losing customers? In the U.S. businesses can lose up to $3.97 million.
If we do the math, this means that a U.S. business could possibly pay $7.01 million for a data breach.
Why Your Employees, Passwords, and Network Vulnerabilities Could Put Your Company at Risk
There are two major vulnerabilities within your company that you need to attend to as soon as possible:
- Poor password management among employees: Regardless of how strict your company’s cyber security policies are, a majority of your employees will rarely adhere to them outside of the office. As a result, employees often bring their poor password habits to the workplace. These poor habits include sharing unprotected passwords with co-workers, using similar credentials repetitively between different accounts, and protecting important accounts with weak, predictable passwords
- Unpatched network vulnerabilities: Organizations of all sizes should fine-tune their threat-hunting strategy by carefully monitoring networks and data assets for vulnerabilities and security gaps. Consider how data and other communications travel along your network. Do your employees utilize cloud communications and mobile devices when they connect remotely? Is this data shared with third parties and other business associates? If your company deals with sensitive information, including patient health, customer payment information, or uses remote servers to store company data, hackers will see your business as an attractive target.
Understanding Risks and Allocating Resources Can Help You Defend Against a Cyber Attack
To survive in a business climate where data distribution and cloud-based communications have become a necessary part of day-to-day operations, businesses of any size should implement these critical safety measures:
- Consider matching employees’ access levels to the requirements of their necessary job duties. If an employee doesn’t need access to sensitive client information, don’t give it to them. On the other hand, if you feel you must give certain employees access to sensitive data, at the very least require that they obtain authorization before doing venturing into restricted territory. When updating an employee’s role or network access level, be sure to update his or her login credentials as well. Upon termination, immediately deactivate any network login credentials, regardless of the reason for separation.
- Be sure to educate employees on the latest cyber security threats. Conduct ongoing training and information sessions to keep employees abreast of the latest cyber security threats: teach them how to spot a phishing email, show them how social engineering works, how to practice good password hygiene, effective personal BYOD management protocols, and walk them through the timeline of a security breach. Also, provide them with a consistent response plan to handle the situation if they accidentally open something that looks suspicious.
- In order to stay on top of increasing cyber threats and attacks, IT teams must endeavor to recognize, analyze, and respond in real-time. Creating an impenetrable force field around your data is virtually impossible—but managing your risk by allocating your resources to an encryption technology service, and a dedicated password and access management software is an achievable goal and doesn’t have to break the bank. In addition, give your IT team the resources to manage DNS issues, establish appropriate firewalls, and create better overall network visibility and monitoring.
- Organizations of all sizes should fine-tune their threat-hunting strategy by carefully monitoring networks and data assets for vulnerabilities and security gaps. Effective threat-hunting combines the use of threat analytics, intelligence, and security tools with human knowledge and experience.
Are you an IT administrator or a cyber security professional with experience on how companies can improve their cyber security practices? Are you a CEO, board member, or business owner with experience building a work culture that is conscious about cyber security? We’d love to hear from you! We’re creating an E-book on enterprise cyber security best practices for CEOs, business owners, IT admins, and employees, and we would like to feature you! To submit your expert tips and advice, please complete the survey embedded below! You can also access the survey by clicking here.