By Simone Petrella, CEO and co-founder of CyberVista
A major data breach can cause serious damage to an organization. While there can be a variety of underlying reasons for an attack, many breaches are caused by incompetence or a lack of investment at the internal level, with a lack of training and security controls implemented company-wide.
A Forbes Insight report found that 46% of organizations had suffered damage to their reputations and brand value as a result of a data breach, and 19% of organizations suffered reputation and brand damage as a result of a third-party security breach.
Becoming subject to a major breach is highly unfavorable for a company’s corporate reputation and the consequences will continue to affect the company’s image over time. Companies have to be confident that their security team is prepared for an attempted breach because it is more beneficial to prepare for the worst than it is to put out fires.
Data breaches cause much more than financial damage; they can also trigger job losses, strained connections, and regulatory fines. Even further, they can irreparably harm companies’ long-term reputations and relationships with stockholders, clients, and the public. Fortunately, this damage can be mitigated when companies are adequately prepared to respond to cyberattacks.
Organizations in IBM’s Cost of a Data Breach report in 2020 that formed incident response (IR) teams and tested their incident response plans reduced the average total cost of a data breach by $2 million, compared to organizations without IR teams that did not test any IR plans. The key is to evaluate and adjust outdated incident response plans and the staff responsible for executing them, as this will optimize your organization’s ability to respond adequately to these attacks.
When companies notice the invasion too late or respond insufficiently, they often see a decline in sales and a PR nightmare fueled by a negative spotlight in the media. A study by Ponemon Institute reveals that data breaches are just as damaging to brand image as poor customer service and environmental disasters. The bad association to the breach is hard to shake and takes years for a company’s reputation to recover.
According to the same Ponemon Institute study, data breach costs jumped 10% in 2021 from $3.86 million to $4.24 million, the highest average total cost in the 17-year history of the data-breach report. The average cost was also a whopping $1 million higher in breaches where remote work was a factor in causing the breach.
An example can be seen in the response to a data breach last fall, where the nonprofit health system Centerstone announced that personal and protected patient health data was potentially exposed. Centerstone had to notify all patients and employees that their healthcare information had been compromised. This would leave lasting effects on the organization’s branding and relationships. Interestingly, Centerstone’s first move after publicly disclosing the breach was to announce it was investing over $800,000 in IT security system upgrades, as well as investments in workforce training. These costs are investments far beyond the cost of the breach investigation and remediation itself.
The risk of cyberattacks on businesses has increased with the pandemic, which created one of the largest transitions of in-house employees to virtual teams and remote offices. This recent mass transition to remote work was coupled with a rise in digital transformation initiatives, largely implemented through cloud implementation strategies. According to the same IBM 2020 Cost of Data Breach report mentioned above, having a remote workforce was found to increase the average total cost of a data breach by approximately 15%. Results from the study also revealed that lost and stolen credentials, along with cloud misconfigurations, were the most common root causes of a data breach.
In order to ameliorate cyberattacks and data breaches, organizational leaders should consider implementing a “zero trust” strategy to properly prepare their employees for these scenarios. I recommend taking a diagnostic, assessment-first approach that allows companies to gain measurable insights into the skills of their cybersecurity teams. As a result, the employees on those teams will be better prepared in their responsibility to detect and respond to breaches in a more effective and timely manner, minimizing (if not outright eliminating) damage to a company and its reputation that may otherwise result from a potential breach.
However, such approaches to cybersecurity are only as effective as the qualifications and wherewithal of the staff trained to address them. Given this, organizational leaders must not only formulate strategies to best implement approaches such as this, but also ways to make training cybersecurity staff more meaningful and effective. An effective cybersecurity team will help address the issues that arise in the event of a breach. By remaining open to working with systems that develop a company’s cybersecurity workforce through data-driven technical assessments and training, companies can better ensure a proactive response in the event that a breach occurs.
As malicious cyberattacks have become increasingly more common in recent years, the length of time that it takes an organization to detect and contain the breach must be mitigated as much as possible. IBM’s 2020 study shows us that, when compared to the cost of implementing proper cybersecurity measures proactively (or reactively), the cost of losing customers and rapport among industry partners and company shareholders is drastically higher.
Corporate leaders likewise must recognize that recent executive orders and regulations still fall short on making critical cybersecurity infrastructure more secure. However, this can be combated by not defaulting to outdated strategies in cybersecurity that rely solely on technology and process solutions, and instead implementing purposeful measures from actionable insight gathered from skilled cybersecurity professionals that best align with their organization’s overall goals.
Business leaders need to willingly place trust in cybersecurity experts to develop a made-to-measure solution that evolves into long-term success for the company. An organization’s workforce must grow into (or at least alongside) a cyber-enabled team to drive and bridge together data, efficiency, and practicality. Companies that have relied upon unorganized collections of cybersecurity training materials must implement newer and better solutions that feature visibility, accountability, and concrete performance metrics to ensure proficiency and prevent data breaches that would otherwise cause irreversible damage to their reputation.
Simone Petrella is CEO and co-founder of CyberVista. Previously, she was a senior associate at Booz Allen Hamilton, where she helped build the firm’s cybersecurity practice in the commercial sector focusing on the creation of cyber fusion centers and the integration of cyber threat intelligence, security operations, and cyber defense operations into effective cyber security operations. For a decade, she led the firm’s all source cyber threat intelligence business in the national security and defense sectors, where she built out a threat capability and team with in-depth subject matter expertise in all aspects of cyber threat intelligence, including intelligence support to both defensive and offensive operations. Her areas of specialty included predictive cyber intelligence based on an understanding of the threat adversary and developing service offerings to integrate intelligence into exercises to provide realistic cyber scenarios.