2018 is a ground breaking year for information security. Regulators are now enforcing the General Data Protection Regulation (GDPR), meaning that any company dealing with data on EU data subjects must comply with the GDPR. It’s given a renewed focus for organizations and a better understanding of business resilience.
In the meantime, cyber threats continue to mount. Breaches at companies including Equifax and Verizon made the headlines, and the numbers of compromised records and the potential effect on victims are growing. Cyber criminals are also concentrating on tried and tested exploits, while continually investigating new ones. Ransomware continues to grow, while further attacks such as cryptojacking are quickly spreading.
The stakes are clearly rising, yet companies are often standing still in the race to deal with security threats. What’s even more concerning is that many are standing still despite the potential economic and financial impact of a breach.
The estimated loss in terms of revenue as a result of a breach is forecast at 10.29% and the estimated cost of recovering from a breach is beyond a $1m USD which has been rising year on year according to our latest Risk:Value Report. This key report produced by NTT Security examines the attitudes of global business decision makers and the value of information security. Whilst the estimated costs of a breach are widely reported, they often do not take into consideration the cost of any reputational damage, brand erosion and lost business which can be somewhat unquantifiable and business leaders should therefore make note and think twice when assessing the risk of a cyber attack.
Insider threats, poor data security and lack of cybersecurity preparation are all identified as significant areas of weaknesses for organisations in the Risk: Value Report.
Equifax’s data breach is perhaps one of the highest profiles incidents we’ve seen in recent years – and it’s arguably one of the most costly. In fact, the Ponemon Institute estimated that the total costs of the breach could be well over $600 million. It’s no surprise it’s been a wake-up call for many businesses and there are new breaches that act as a constant reminder.
Just last week, Carphone Warehouse admitted to a large data breach involving 5.9 million customers. Although it’s too early to estimate the financial impact of the breach, the Information Commissioner’s Office (ICO) is investigating whether to assess the breach under the GDPR, or the Data Protection Act because the incident reportedly occurred last July.
If it is assessed under the Data Protection Act, the ICO will have the power to fine the company up to £500,000 but, under the GDPR, the consequences could be far more severe – up to €20 million or 4% of annual turnover (whichever is higher).
Companies are right to worry about the financial impact of a data breach – both in terms of short-term financial losses and long-term brand and reputational damage – but the reality is that not enough is being done to mitigate the impact of a breach. No company, regardless of its size, region or sector, can afford to ignore the consequences of what are increasingly sophisticated and targeted security attacks.
It also can’t ignore the implications of a data breach now that GDPR penalties are in place, nor can it forget to understand the consequences of a breach beyond financial.
Every business therefore needs a well-structured, efficient incident response plan to help to contain a breach and limit its damage. The right intelligence about the impact of any incident will drive a proportionate response and focus resources to minimize damage and disruption, returning to business as usual as quickly and smoothly as possible.
And, if there are not enough resources in-house, organizations might want to consider outsourcing to a Managed Security Services Provider (MSSP). A trusted provider such as NTT Security can take all the time-consuming and repetitive workload away from an organization’s IT team, leaving them to get on with managing the business.