As of June 28, 2016, 500 data breaches took place, with more than 12,700,000 records exposed, notes the Identity Theft Resource Center. Data breaches have become so commonplace that business attitudes toward them have shifted. Increasingly, large corporations see data breaches as just a “cost of doing business” that need to be dealt with quickly and then moved on from. What does this shift in attitudes mean to SMBs?
The New Perspective on Data Breaches
A couple of years ago, it seemed as if the public was outraged whenever they heard about a data breach. The outcry of fear and frustration had negative repercussions for businesses who found themselves victims of cyberattacks.
Now, as the Identity Theft Resource Center statistics demonstrate, data breaches are increasingly commonplace. Even if your business has not been the victim of a cyberthreat, the perception exists that it is only a matter of time before something bad happens. At the same time, the public outcry over each new data breach has lessened. People are paying less attention to new data breaches — if they even notice at all. Data breaches have become the “new normal”; in fact, they seem to occur every day.
These changes have spurred some pundits to suggest that data breaches are merely the “new cost” of doing business. Companies spend money cleaning up after a data breach, but pundits claim the amount they spend is minimal compared to the profits that businesses make. For example, consider Home Depot, which experienced a massive data breach that cost $171.5 million, yet the retailer made $88.5 billion in fiscal year 2015. Furthermore, the actual amount that Home Depot had to pay out-of-pocket was less, since the company had a cyber insurance policy in place.
After eBay suffered a data breach in 2014, the company’s stock dropped by just 8 cents the day the news broke. eBay may have suffered negative press as a result of the breach, but it was just another day for the online auction company’s stock prices.
The same thing happened to Target during its 2013 data breach. Stock prices fell the month after the data breach, but the price drop coincided with news of job cuts at the retailer.
T.J. Maxx did experience a stock drop of 12 percent after its data breach back in 2007, yet investors took this for the buying opportunity it was, and the stock regained its value a couple of months later.
As these anecdotes suggest, investors care little about data breaches at major companies. This evidence may help bolster business confidence that data breaches are something to be weathered successfully.
Certainly, Home Depot would rather not have had a data breach in the first place. But they were able to pay the costs to clean things up and went on to reap significant profits, despite any loss in reputation the breach engendered.
Can Small Businesses Afford a Data Breach?
While this new attitude may be fine for a business the size of Home Depot, a small firm would likely be devastated by the amount they would have to pay to cope with a data breach. It is important to note that many small businesses would quite likely be forced to shutter after a data breach.
In light of the shifting attitudes toward cybercrime, let’s revisit the harmful impacts that a breach could cause. Data breaches can impact:
Your small business may not be publicly traded. A loss in customers, reputation and standing versus major competitors could spell ruin for your company. While big businesses may be less worried about data breaches now than in years past, SMBs may not have this luxury just yet. It is important not to let the false sense of calm affect your preparation for data breaches.
How to Respond After a Data Breach
When you operate under the assumption that it is only a matter of time until you suffer a cyberattack, then you can develop a plan to respond. Prompt response is key to containing the fallout from a data breach. Fortunately, since data breaches have become so common, a good playbook exists of best practices to minimize the fallout should you suffer an attack.
To create a plan, first list all the different types of data your company collects. Where and how is this data stored? Who has access to the data? Is the data sensitive (and thus requiring protection), or would it not matter if the data were breached?
Once you’ve identified the types of data you need to protect, develop a chain of communications. If a set of data were breached, who needs to be notified first? A major lesson learned after the Target data breach is that customers whose data was compromised need to be notified promptly. Your key stakeholders also must be notified, since they may be called upon to respond to media inquiries.
You might find it helpful to draft sample scripts for emailing customers, alerting the media, or taking other actions. This draft can help you get word out quickly in the event you are attacked. Having templates ready can provide peace of mind that you have done all you can to prepare for a threat, thereby reducing stress.
Communicating quickly can contain negativity that could arise after the incident. It also gives your business greater control over the story that is told in the media.
In your message after a cyberattack, you must strive to alleviate customer worries and demonstrate responsiveness and trustworthiness. Clearly explain what happened and tell customers what data was breached. Initiate plans to stem the losses and safeguard customers. For example, if login credentials were stolen, perform a password reset for all customers. Then customers can choose a new password and rest assured that attackers will not gain account access. If credit card numbers were stolen, offer free credit monitoring for a set period of time to allay fears.
Customers are more likely to experience a loss of trust in your company if they feel that you do not have all the information at hand, or that you are not communicating everything you know to them. By communicating quickly and effectively, you demonstrate accountability.
It is a best practice to explain what you are doing to handle the situation and tell customers where they can find more information. You might notify customers of the original attack via email or postal letter and create a website on which you will list additional information that arises as you investigate the incident.
By planning ahead of time, you ensure that you can take the appropriate response quickly and with less stress.
While the first 48 hours are a key time frame in spreading the word, you should prepare for inquiries from concerned customers and media pundits in the weeks after the attack. Assign staff to interface with media and members of the public after a breach.
In addition to preparing how to publicly handle a data breach, it’s a good idea to review the safeguards that you have in place to protect your business from cyberthreats. Have you implemented all of the latest security measures? Are you investing enough in cybersecurity, or is this a task your business is under-funding?
Simply by using the planning opportunity to take another look at the systems you have in place, you can reduce your risk further. An independent cybersecurity assessment can help you gauge whether the measures you have in place are sufficient to protect your business from modern cyberthreats. Based on the results of the assessment, you may decide to bolster your level of protection or outsource threat mitigation to a managed service provider (MSP). MSPs have access to the latest technologies and economies of scale. As a result, they are often able to offer best-in-breed threat deterrence for less than it would cost your business to purchase the same technologies.
A time may well come when we have reached true data breach fatigue, and no public fallout will occur for any-size company after a data breach. Yet now is not that time, at least not for small businesses. If you would not be able to weather the fallout from a data breach, then it is in your best interest to strategically plan your response and bolster your security systems.