“I’m working on it.”
“We don’t have room in this year’s budget.”
“Something else more important came up.”
“Well, we’ve not been breached before…”
“The risk of it happening is so small and it’s hard to quantify…”
These are some of the most common excuses companies give for delaying their security and compliance efforts. But, given the severe repercussions of just one breach – spiraling costs of damage-limitation, the brand-eroding reputational impact, falling share prices and lost jobs at the very highest level – putting off these initiatives is corporate insanity.
For those who have never experienced a public data breach, it’s easy to dismiss it as something that may never happen to you. Yet, threats are coming from all sides, and we’ve already seen nearly 800 data breaches in 2017 (a half-year record in the United States). It is no longer a matter of if you’ll be breached, but when.
Even if you still believe that the risk of a breach happening to you is so very small, the consequences for your company, your shareholders and your customers can be so significant that investing in the right data security is not an ordinary risk-return decision. Here are three reasons not to delay your security and compliance efforts and protect both you and your customers’ data now.
1. Costs, fines and reparations – It is ironic that those who try to save money by foregoing or short cutting security may end up incurring costs far beyond the price of a solution or compliance program. In fact, the average cost of a data breach is $3.62 million, while the average cost of just one exposed record is $141. These figures take into account financial losses, legal fees, auditing services, customer reparations and more. Class action lawsuits can be even more financially devastating, as seen recently when U.S. health insurance company, Anthem, agreed to settle a lawsuit over a 2015 data breach for a record $115 million. New costs may arise down the road if a breach also causes an organization to face sudden, unplanned and unbudgeted changes to its security program, which could be alleviated by planning ahead and proactively implementing security solutions.
Noncompliance fees can also add up quickly – even if you aren’t breached. For example, for businesses who must comply with the Payment Card Industry Data Security Standard (PCI DSS), the consequences of noncompliance can range from $5,000 to $500,000 per month. If a business is breached, the bank may fine $50 to $90 per each Cardholder Data (CHD) compromised, whether or not the company is PCI DSS compliant and validated as such. So, beyond securing data, it is also vital for companies to maintain a living and breathing compliance program with regular assessments.
2. Reputational risk – Undoubtedly, a data breach can damage your business’ reputation to the point where your customers desert, stock prices plummet, constituents lose their trust, and worst of all, you could go out of business completely. Target (although still in business) experienced some of these effects firsthand after a data breach involving 110 million customers’ credit card information. After the breach, Target’s stock prices dropped 46 percent. Even more recent is Equifax’s high-profile breach, which is believed to have compromised 143 million U.S. consumers’ personal data. It is nearly impossible to scan the headlines or turn on a news channel without seeing Equifax’s name – for the wrong reasons.
Think about it: would you do business with any company who proved they cannot be trusted with your most sensitive information? According to Cisco’s 2017 Annual Cybersecurity Report, nearly a quarter of the 2,900 respondents stated that their companies lost potential income from business opportunities after a data breach. Nearly 40 percent of those said the losses were “substantial.” Twenty-two percent of respondents said their businesses lost current customers, with 39 percent of them stating that they lost 20 percent or more of their customer base. A company’s reputation is too important to risk in order to save a few dollars.
3. Job loss – Whether you are a CEO, a CSO, CIO or even a governance and compliance executive, a data breach can come back to haunt you and your job. Case in point: after Target’s breach, the company’s CEO and CIO resigned. This is only one of many examples of executives resigning or losing their jobs after major cybersecurity incidents – we have just seen the same executive exodus at Equifax.
While a data breach may not always affect a CEO or those at the very top of an organization, it can certainly hinder the current and future career of whoever decided to wait to secure company data. Those who claimed, “I’m working on it,” and did nothing will certainly have trouble landing their next job if they must explain how they lost their position because their procrastination put their former company at risk.
Act now to secure your data
Protecting your company against a data breach is not something you can put off until tomorrow. The severe consequences – tremendous costs, damaged reputations, lost jobs and tainted careers – emphasize the urgency of proper data security and compliance. However, securing your data does not have to be a daunting task. Here is some advice for how to create a culture within your organization where data protection and compliance are treated with the urgency they deserve:
1. Talk costs to the C-suite: Upper management will pay attention when you start talking money. Emphasize to them the importance of protecting your company’s brand reputation through a proactive and robust data security program. Help them understand how protecting the company from a data breach also protects from reputational damage, a hit to stock price and loss of customer trust – all will directly impact the bottom line. Explain that investments in data security are not simply another line item expense; in today’s cybersecurity landscape, they are critically important to the survival any business.
2. Stress compliance as an ongoing initiative: Compliance requires continuous effort; it isn’t a one off & check-the-box exercise. For example, you could receive a Payment Card Industry Data Security Standard (PCI DSS) Report on Compliance (ROC) one day, and then be vulnerable to a breach the next, if even one security control changes. Therefore, maintain a mindset focused on continuously improving data security and compliance.
3. Remove sensitive data from unnecessary areas of your business infrastructure. Too many organizations allow sensitive data to be processed, held or passed through areas of their business infrastructure or corporate network where it simply does not need to be. For example, many large enterprises have customer contact centers that accept payments.
Cybercriminals consider contact centers low-hanging fruit because they know that they often hold payment card data, addresses, phone numbers and other PII in their customer records and even on call recordings. However, there is no need for contact centers to hold sensitive data like payment card information in their network at all. Technologies exist that enable them to receive payment card information, mask and encrypt the data, keep it segregated and securely route it directly to the payment processor, bypassing the contact center’s IT systems entirely.
Whenever possible, keep sensitive information out of your business infrastructure and areas of your network where it is not necessary. After all, no one can hack data you don’t hold. Investigate deploying technologies within certain areas of your business that keep sensitive data segregated from your network and business systems like enterprise resource planning (ERP) and customer relationship management (CRM) systems. This will make your organization far less vulnerable and less attractive to hackers, fraudsters and other cybercriminals.
So, why wait? It’s time to bump security and compliance up from the bottom of your “to do” list. Acting now will mitigate risk and position your company to best protect itself from becoming another statistic or news headline.