The true cost of a data breach

From the implementation of the General Data Protection Regulation (GDPR) back in May, which fundamentally changed the rulebook for storing data of EU citizens at least to the Butlin’s hack, 2018 has been a very significant year for cybersecurity.  

One of the biggest changes centred around transparency, specifically businesses being forced to reveal within 72 hours if they have suffered a breach. While the US has had this type of policy for a while, businesses in the EU were not required to publicly state when a breach occurred, leaving them free to keep significant news like this from their customers. But now that things have changed, and it’s starting to heat up in the EU.

A financial hit

The first thing anyone thinks of when considering the cost of something is how can it be calculated in monetary value. Up until now, it’s been difficult to pinpoint the exact cost of a data breach, given many companies are not too willing to unveil the money they’ve spent cleaning up the mess left behind after being hit, or the drop in sales figures. There are some indications though that can help give a guidance. Studies such as the annual Ponemon Institute’s Cost of a Data Breach report aims to paint a clearer picture – indicating the average cost is currently $3.62 million globally ($141 for each piece of data) and as much as $7.35 million in the US.

However, that may be considered the average, with some financial hits being much bigger. According to its most recent SEC filing, Equifax has spent $242.7 million and counting since its data breach, which exposed the sensitive financial and personal information of nearly 148 million of its customers. To add a bit more context to this, Equifax spent nearly as much in just seven months, as Target ($252 million) did in two years after its 2013 data breach. That’s a big hit to the bottom line for simply leaving consumer data unencrypted and out in the open for hackers to simply walk up and take.

Moving forward, we should start to see a clearer picture of the tangible financial cost of a data breach through legislation like GDPR, which can fine companies up to 4% of their global turnover, if they are found to have suffered a breach.

The reputational impact

As well as business suffering from a clear financial hit, the transparency aspect of GDPR has increased the potential for companies to suffer reputationally as well. As consumers become more aware of the increasing number of breaches out there, they are starting to understand they have the power in the relationship, particularly with GDPR enabling points like the ‘right to be forgotten’.

Companies need to realise that if they get breached, consumers will simply go to another brand they consider to be more secure. Take the case of TalkTalk as a great example. Following its well-publicised data breach, the company lost around 100,000 customers, who simply deemed that they could not trust the business to keep their details safe. In this case the CEO also had to step down, a growing consequence that is beginning to develop with senior management usually in the firing line when a breach occurs.

It’s not just a reputational hit with customers that can affect a business either. Yahoo! had to lower its asking price by $350 million for its acquisition by Verizon, after it suffered a huge breach that affected millions. 

Mitigating the risks and costs of a breach 

So, with regulation making things more transparent and media headlines making consumers more aware, how can businesses avoid being the next Equifax or TalkTalk?

The simple answer is there needs to be a change of mindset when it comes to security in the business world. Businesses can no longer adopt a ‘it won’t happen to us’ approach or ‘my perimeter can’t be breached’ mentality. The focus must be on securing the most sensitive data a business has at its core. Too many companies attempt to secure the outside and leave the data exposed, meaning if a hacker was to break in, they can almost help themselves. Encrypting data at rest and in motion, securely managing the encryption keys and storing them securely, while also managing and controlling user access, are vital steps for businesses to take to protect themselves.

With nearly every business using the cloud and the continued emergence of IoT, businesses have never had such opportunities to grow, but with that comes an increased attack surface to defend against. By implementing the solutions such as encryption, businesses can essentially adopt what is known as a ‘secure breach’ strategy, whereby if they are attacked, their data can’t be accessed.

Investing in this strategy moving forward is the only way businesses can protect themselves from the financial and reputationally hitting consequences that are being seen more frequently now. The true cost of a data breach may still be up in the air and vary depending on the business, but companies shouldn’t be running the risk of finding out what it will cost them.

Jason Hart, CTO of Data Protection at Gemalto 

Jason Hart

Jason Hart is the CTO of Trutonic and the founder of Fresh Security. Prior to Trutonic, he was the CTO Data Protection at Germalto. He is a double awarding-winning globally recognised expert and visionary in the World of Cyber Security, Forbes Tech Council Member, and technology leader with 20 years of experience executing team leadership in designing effective cyber and information security solutions. Jason continues to raise and educate the profile of Information Security risks and was instrumental in the introduction of the role CSO (Chief Security Officer) globally.