Is It a Smart Choice for Businesses to voluntarily Disclose a Data Breach?
So you’ve had a data breach. You’re not alone – almost 25% of businesses defended against 7 or more cyberattacks in 2020. In the stressful aftermath of the incident, you’ll be relying on your incident response plan to get your business back on track and start your recovery. But you may not have included something in your plan – do you disclose a data breach to your clients, your partners, your suppliers or the public at large?
One major factor to consider is the cost in dollars and cents. SMBs that disclose a breach are looking at an average of $93,000 in costs. But that cost skyrockets if the breach is reported by the media first with a whopping $155,000 in damage. The cost for larger enterprises that disclose a breach are commensurate: a self-disclosed data breach runs about $1.13 million, but one that’s reported by the media first boosts that to nearly $1.6 million.
Do You Want to Know a Secret?
It goes without saying that a part of your incident response plan is to report your data breach to the required regulatory authorities, both in your government and in your industry. You may be legally required to inform clients or partners. But there are some hard choices to make about how you handle the circumstance and if it’s to your company’s benefit to disclose a data breach officially. By considering the positives and negatives of that calculus, it’s easy to see what the right decision is for every organization.
There are a number of negatives that your business faces by disclosing a data breach to the general public. While experiencing a data breach has grown significantly more common, it’s still an embarrassing and damaging incident. A Ponemon survey noted that 65% of consumers said a data breach had caused them to lose trust in an organization, and 27% discontinued their relationship with that company.
However, that changes substantially when considering your company’s reputation. As more non-tech folks become aware of the reasons that a company can suffer a data breach including nation-state hacking, public perception is changing. With hacking incidents becoming more common, firms that suffer from a data breach are increasingly being perceived as victims of cybercrime instead of irresponsible companies.
No one wants to tell the world that they’ve failed, but both regulatory requirements and savvy reporters almost guarantee that someone is definitely going to find out, especially if your data security incident involves nation-state hacking. Although companies do still try to deny or refuse to comment on data breach news reported by the cybersecurity press, it’s always clear that they’re not telling the truth, and that’s not a good look for any business.
But as you’re making your decision, you may want to consider what’s the downside of disclosing a data breach?
- Your company suffers public embarrassment.
- The company will be criticized.
- Your company’s security practices will be scrutinized and flaws will be pointed out, as Twitter experienced after a wacky incident in 2020.
- It becomes something that pops up in a Google search.
- Your clients will know about it.
- Your competitors will know about it.
- The press is likely to report on it.
- You may have been able to sweep it under the rug, but not now.
- Your company’s reputation may be damaged.
- You may be impacted by the news of this incident in future transactions.
Even while recovering from a data breach incident, there are still a few positives that your business can reap from this situation. In an increasingly dangerous and tumultuous threat landscape, more businesses are experiencing cybersecurity incidents like a data breach than ever before – small and medium business data breach incidents are expected to rise by more than 40% this year.
What benefits could your business possibly wring out of a cybersecurity disaster? More than you think.
- You get to control the narrative by setting out the facts about your incident and how your business is handling it.
- You get your message out ahead of stories that may be published by any industry press.
- Your company demonstrates a commitment to honesty and transparency
- You’re more likely to save money in recovery costs.
- You demonstrate that your company does take cybersecurity seriously because you found the breach. This was recently a positive outcome for FireEye as the Solarwinds scandal began unfolding.
- You have an opportunity to communicate to your customers that you’re taking action to prevent this from happening again.
- You can clearly communicate what remediation and prevention of further harm you’re giving your clients, like credit and identity theft protection or Dark Web monitoring.
The Bottom Line
When your business has experienced a cybersecurity problem like a data breach, every second counts in recovery, and that includes reputation management. After comparing the lists of positives and negatives, it’s easy to see that disclosing the incident publically, whether you snd out a press release or make a company blog post, is the smart choice for every business.
Plus, as part of your disclosure, you can reassure your clients that you’re addressing the issue that led to the breach. It’s essential that you not only admit that the breach happened, you disclose how it happened and what you’re doing to fix that security pitfall. These tools can help you avoid future breaches and rebuild customer trust by showing that you’ve strengthened your security to keep it from happening again.
- Add multifactor authentication with Passly (secure identity and access management tops CISO priority lists for 2021 because it protects you from many kinds of cybercrime) to guard against phishing-related password theft and credential stuffing attacks.
- Add single-sign on with Passly to make it easy for your IT team to manage user accounts and permissions, which is especially beneficial if they need to quickly isolate an account that’s been hacked to avoid further damage.
- Add improved security awareness training including phishing resistance training with BullPhish ID to reduce your chances of suffering another cybersecurity incident by up to 70% and build a stronger, more resilient cybersecurity culture.
- Add Dark Web ID to stay on guard against account and password compromise with 24/7/365 human and machine-powered monitoring to make sure that you find out that your company’s credentials are for sale in Dark Web markets before the bad guys do.
- See demo videos of Passly, BullPhish ID and Dark Web ID in action>>
Do you really want to wait until after a cybersecurity incident to take preventative measures against a cyberattack? No, you don’t – contact the security experts at ID Agent today to get an assessment of your Dark Web risk and personalized advice on how to make your company’s cybersecurity strong enough to withstand the pressures of today and tomorrow.