Last week your CEO opened an email about chimpanzees in ties trashing an office. You’ve just learned the email contained malware, which has been exfiltrating valuable data to an IP address in Iran.
After a brief panic attack, you start to calculate how much this is going to cost your company.
Spoiler alert! More than you think.
Where does your money go?
One of your first tasks will be to notify your regulator. Every state has a breach notification law, and you probably do business in more than one state – that’s a lot of intertwining rules to meet.
Then there are the fines. Depending on the scale of the incident, this might be anything from a slap on the wrist to monumental penalties, like the recent $5 billion fine the FTC handed Facebook.
The settlement agreement might also include a year’s credit monitoring for all affected customers. That could be another $300 per person.
You’ll probably also have to write a big check to your PR firm, which will explain to the general public that the breach wasn’t caused by your CEO but actually a very, very sophisticated hacker who was able to circumvent your state-of-the-art protections and steal your information.
If your PR firm is good, most of your customers will forget about the breach in a few months and your brand’s reputation will remain (mostly) intact.
Next are the legal bills. Your attorneys will be proactive in settling with regulators while fighting off the plaintiff bar. They will also be charging $150 an hour for paralegals.
Don’t ask what the partners get. It will be expensive, but they can probably guarantee your solvency.
Among all these costs, you have to determine what caused the breach, and your CEO probably won’t admit to their mistake, assuming they even know about it.
So, you hire a bunch of techies to come in and tell you exactly how the breach occurred. These people will charge more than your lawyers.
It’s not over yet
After all that, it’s time to get back to work with this whole unpleasant affair over. Right?
The cost of a data breach doesn’t just disappear. It stays with you, and pops up when you least expect it.
You also need to factor in several residual expenses:
- Insurance costs
There is no such thing as accident forgiveness in cybersecurity insurance. Your premiums will go up after a hack.
The cybersecurity insurance industry is still learning how to actuarially identify and price out risk factors. There is no standard contract. All policies are tailored to what the underwriter perceives as your individual risk based on your company’s specific data risks and exposures, your industry, current practices, financial health, and other factors.
After a hack, you look obviously look like a bad risk and may not be able to get any insurance – at least, not at a reasonable price.
- Cost of debt
Moody’s downgraded Equifax following its data breach because its security weaknesses were exposed. You may find that after a hack, your AAA rating has been downgraded to BBB, costing you millions in extra interest payments.
- Partner relations
Your supply chain is one of the most – if not the most – important parts of your business. Unfortunately, it is historically also a cause of some major breaches. To get the contract, or to just increase your desirability as a partner, you may need certification or to submit your organization to a second-party audit.
Every business needs a certain level of trust from its partners and customers. They must be assured that your products or services are excellent, and that their information is safe. If they do not have that assurance, they are likely to look for it elsewhere.
Avoiding security incidents
There is no such thing as complete cybersecurity. It’s all about not being the last gazelle in the herd. No amount of technology would have prevented your CEO or anyone else from making a mistake. This is why good cybersecurity is about constant vigilance.
IT Governance believes the best way to instill that vigilance is with ISO 27001. It’s not the latest technology, but a framework providing the specification for an ISMS (information security management system). Implementing an ISMS and achieving ISO 27001 certification demonstrates that you take information security seriously.
Through an initial implementation process and regular internal and external audits, you can be sure that your employees, processes, and technology are doing what they can to mitigate the threats your organization faces.
You can find out more by reading Information Security & ISO 27001 – An introduction. This free green paper help you understand ISO 27001 and explore the benefits of achieving certification to the Standard.