What will your next data breach do to your business?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/technology/security/123460341/what-will-your-next-data-breach-do-your-business

The concept of a data breach is becoming worryingly common to anyone with
even a passing interest in the news. While Ashley Madison’s business model
may have helped propel its data breach into the headlines, it highlights
the potentially far reaching impact of a public data breach.

Even with slightly less headline grabbing incidents, the impact can be
beyond what anyone might expect. If we look at the fallout from the Target
breach in 2014 for example, the ramifications are still playing out. In
addition, public trust in the ability of large corporations to keep public
data safe has never been lower.

The question is whether organisations fully understand the risks and
consequences. It’s no longer a few negative articles in the press and a
slap on the wrist from the regulator - data breaches, no matter how
serious, can have lasting repercussions that seriously affect how a
business operates and competes.

When a breach occurs, it can send shockwaves across an entire organisation,
from the board down to the most junior of employees. But the damage isn’t
always immediately apparent, and it can take months for the real effects of
a breach to appear.

While there are countless ways a breach can damage an organisation, there
are three main areas that experience significant repercussions, and these
aren’t always the most obvious.

Financial - While this may seem like one of the most obvious effects of a
breach, the actual financial damage goes beyond a loss of revenue or
providing compensation to affected customers. Organisations have to take
into account fines that can be issued by the regulator.

In the UK alone, the Information Commissioner’s Office can impose fines of
up to £500,000, depending on the severity of the data breach. What’s more,
when the European Union’s General Data Protection Regulation (EU GDPR)
comes into force, the financial penalties will reach up to €100 million or
up to 2% of annual global turnover – whichever is greater.

Of course, that’s only if the breach involves data from someone who lives
in the UK or the EU. If the compromised data belongs to other nationals,
the firm could face further fines.

Operational - By digitising, capturing and utilising data, organisations
can put in place initiatives to transform business productivity and
innovation.

However, as we’ve seen with the NHS’s care.data programme, concerns about
data security can delay even the most innovative and potentially beneficial
projects.

Within an organisation, a breach can result in data paralysis, where
employees and customers alike are too scared to embrace data-led
initiatives. It can take months if not years for a business to get past
data security concerns - making space for competitors to move in.

Reputational - The reputational impact of a data breach can be one of the
hardest areas to measure, but also one of the most serious. The Ashley
Madison breach, for example, has effectively crippled the business’
reputation, and may make it difficult to attract new customers and provide
reassurance that their (highly personal) data is secure.

In the UK, consumer trust in the NHS and public sector has never been
lower, and a recent report from Big Brother Watch claims that local
authorities commit an average of four data breaches per day.

While it may seem that no organisation is safe, the Ashley Madison case
shows that the reputational consequences of a serious leak of customer data
can be unimaginable.

With all of this in mind, it is no surprise that the threat of data
breaches is rapidly moving up the corporate agenda. According to research
from the Ponemon Institute, 50% of businesses expect to increase their
corporate cybersecurity spending over the next two years.

However, a knee-jerk reaction to imposing security measures in anticipation
of a data breach can open up further vulnerabilities. If staff are too
scared to handle their data correctly, or don’t know what polices and rules
are in place, there’s a greater chance of something actually going wrong.

To tackle the data challenge, organisations need to take a holistic view of
how they handle data. Existing processes simply won’t cut it in today’s
data-rich environment. Key to this is a three-step approach incorporating
data policies, staff training and data protection technology.

Your staff needs to know what they’re permitted to do with the data, the
measures they need to protect it, and that there is a procedure in place
that can limit the impact of the breach, should one occur.

Ultimately, a data breach is one of the most serious and increasingly
common business threats, and it’s only by understanding the real impact of
a breach that organisations can safeguard themselves.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!