+Damage limitations

by Bea Gorman

Successful handling of a data security breach can limit reputational damage as well as financial losses

Given the potential impact of a data breach, and the limelight major cases receive, it seems surprising that businesses are not massively invested in planning and combatting the effects of all too regular data breaches.

A recent study by Experian UK, SMEs Under Threat, revealed that British SMEs are unclear about the risks and subsequent costs of a possible breach, indicating small businesses are unprepared for growing cybercrime threats. A surprising statistic highlights almost 30 per cent of businesses have no plans in place to deal with security threats.

The same study highlighted the fact that many UK SMEs would not survive a data breach due to underestimating the true financial impact. According to government statistics, a data breach costs a small business around £310,000, but SMEs surveyed believed the cost to be £130,000 less, at only £179,990.

So why are businesses not planning for such events in a world which is so dominated by cyber-crime, which is rarely out of the headlines?

“It’ll never happen to us”

Despite increased media coverage of high-profile breaches, many top executives are still under the impression that their organisation has no valuable data and will not be targeted. This false belief could have devastating consequences, as just simply being connected to the internet makes any company of interest to cyber criminals.

To cyber criminals any accessible company is a resource that could be exploited and discarded, simply because it is there. And once they are in, they will take whatever they can or hold the organisation to ransom in order to make a return on their time investment.

The issue of cost

Many small businesses are often time and resource starved, indicative of the pressures facing them which will only escalate should a breach occur. While it’s understandable that smaller businesses may feel they lack the resource or expertise to prepare for a data breach, they are also likely to be among the most vulnerable, as they won’t have the expertise and budget to gold-plate their security.

The true cost of a breach, whether due to sophisticated cybercrime or basic human error, is far higher than the cost to design and implement a plan – and generally far worse than companies tend to imagine.

It's overwhelming!

Many firms are still struggling to put in place or identify exactly what their response to this ever-increasing threat should look like. They feel overwhelmed by the threat, and given the size of the problem, end up underplaying the value of the clear solution – a data breach plan.

Although companies may understand why they are attractive to cyber criminals, it’s clear that a data breach plan can seem overwhelming to some. But businesses plan for all sorts of eventualities, like fire, theft or employee grievances. Indeed, no business would not put a fire drill plan in place and in an increasingly data driven world a cyberattack is just as real a possibility as a fire.

A detailed data breach response plan is not only instrumental in decreasing the likelihood of attack, but also can substantially reduce the amount of organisational chaos and the valuable time wasted in dealing with the confusion. With the ever increasing threat of data breach, it is essential to employ a proactive data breach plan in order to prevent significant damage to not only a company’s finances, but their operations and reputation too.

The key elements of a data breach plan should cover:

  • containment and recovery, including damage limitation
  • an assessment of how a breach might increase future risks
  • stakeholder analysis – a list of organisations and individuals that would need to be notified in the event of an incident
  • strategies for dealing with the fallout of the breach, including reputational damage

Crucially, in the event of a breach or a cyberattack, it is important to get your message out quickly, and that means doing as much of the work as possible in advance. This can be done by identifying potential scenarios, developing the appropriate messaging templates and selecting appropriate communications channels for each situation.

The resulting incident response plan should be adequately staffed and resourced, and needs to be kept updated to take account of new risks. It should also be regularly tested, ideally several times a year.

Back to our blog.

click here