09 Sep What’s the (Real) Cost of a Breach?
Here, at TetherView, we’ve debated what’s the real cost of a breach. We all agree that there are a range of different costs.
We understand that things like compensating the affected customers, share value plummeting, legal fees, insurance premium hikes (which is another issue unto itself) and having to pay for the right protection (to ensure a breach doesn’t happen again)—are all associated costs of a breach.
But those are just surface costs—things that the Ponemon Institute tells you every year (and don’t get us wrong, the work they do is great, but we think it doesn’t go deep enough).
Companies hardly consider business interruption, loss of consumer confidence, or the cost of recovery as an associated cost of a breach. Consider this: a breach’s cost can also be measured by an employee (their salary, etc.) walking away with corporate data (invaluable).
So, let’s dive in.
Even after addressing the initial financial impacts, a company must also deal with reputational damage. It goes without saying that breaches have a massive negative impact on a company’s customer base (especially if the breach involved sensitive data). Moreover, customers lose confidence in the brand and don’t feel that their data is secure. A breach also puts off potential customers, and in some cases, potential/current employees—just look at Uber.
“The scandals have damaged Uber’s brand reputation over time, said Robert Passikoff, president of Brand Keys Inc., a New York-based customer research firm. The company’s polling has found that in 2015 Lyft passed Uber as the most trusted of ride-hailing brands, and trust in Uber has been eroding ever since. Consumers will give technology companies the benefit of the doubt for a long time. But with Uber, “that well of forgiveness isn’t bottomless,” Passikoff said.
Passikoff doesn’t measure the impact on ridership and Uber won’t discuss it. But Lyft says its share of the U.S. market has risen 3 percentage points since August to 33 percent. It’s up from 12 percent two years ago as Lyft has expanded with more drivers in major U.S. cities.”
Part of the reason Uber lost market share was that it lost a portion of its workforce. Often, data hackers are interested in a business’s proprietary information. This information can include customer lists, pricing, and even trade secrets. Once hackers have this information, they can effectively damage a company’s competitiveness. These threats are manifested when hackers provide proprietary details to industry rivals or reveal the information, to the public at large. Post-breach companies like Lyft were able to provide former-Uber drivers assurances like:
- Your data won’t be sold on the dark web.
- Now that we know how much you make; would you like to make more?
- If you’re looking to make more, why not work for both companies?
Without question, a company’s most prized possession is its reputation. A business must constantly work to build and maintain the integrity of its brand.
However, one compromising incident like a data breach can stain even the best of reputations. In fact, Ponemon stated 46 percent of organizations say they suffered damage to their reputation and brand value as a result of a cybersecurity breach—and just like Uber—this creates a lasting impact on their ability to grow and function as a company.
And that last point is the payoff, right? Regardless of what public opinion may be, the real issue here is that a breach has a direct impact on your relativity to the market. The fact that some companies have comprehensive security, doesn’t stop them from having an agent of corporate espionage on their payroll that could walk away with millions of dollars’ worth of data.
We’re sure that at some point you’re waiting for the TetherView sales pitch—but we think it would be better to identify some concerns regarding 3rd party IT providers. It should go without saying that dependency on vendors and third parties also brings the potential for increased exposure to viability and capabilities of vendors that support your critical systems and processes. If you add the amount of increasing regulations which impact companies across industries and across geographies (e.g., GDPR, NYDFS and CCPA)—the list of potential threats and risks grows exponentially.
We get it. At TetherView we’re obsessed with protecting data—we know the next big threat is around the corner. Which is why we offer businesses security, mobility and compliance (at the highest levels). Our Digital Bunker is a truly comprehensive solution, minimizing the number of moving pieces (or vendors) in an organization’s IT Architecture.
If you have full faith in your IT team—that’s excellent. In fact, if you are an IT professional keep reading— we’ve synthesized a couple of key recommendations from Gartner, on how businesses can be better prepared.
10 Recommendations from Gartner for Securitizing your IT
- Engage business stakeholders to create risk appetite statements.
- Build or outsource a security operations center.
- Use a data security governance framework before investing in tools.
- Exploit passwordless authentication to improve security and convenience.
- Seek out solution providers that offer a fusion between products and services.
- Establish a cloud center of excellence team and invest in training.
- Augment one-time security gates with internal detection capabilities.
- Regularly test how existing defenses adapt to microtrends for the most prevalent threat vectors: malware, phishing and attack on credentials.
- Prioritize measures that better prepare for the threats that are more likely to hit them. This requires good communication skills both within and outside of the security teams. Also progressively build a security posture framework for continuously evaluating relevant defense technologies and processes.
- Engage in a cross-team effort to improve discovery of new assets and emerging business technology use. Use risk register to standardize the approach to aim at a more continuous exposure assessment.
- Improve resiliency by building a complementing strong backup and incident response plan that includes crisis management and recovery planning to better prepare against attacks the organization is ill-prepared to prevent or detect.
The title to this blog is not going to make any of us at TetherView popular with IT Managers.
However, we think it’s addressing a sobering reality amongst business IT leaders. Most businesses large and small think of IT as being responsible for anything plugged into the wall, plus anything that is performed on a computer; following that philosophy means IT is responsible for EVERYTHING. By asking the “IT Guy” or “IT Team” to manage the copy machine, email, website, security (physical and cyber), compliance, phones, mobile phones, CRM, ERP (well, you get the picture)—your IT person will be less effective or even counter-productive to the goals and long-term strategies of a company.
The IT person has been in house for years—so what do we do? You let them focus on the company’s core business.
Here are 3 Major Reasons to outsource parts of the “IT Puzzle”:
Let’s take a step out of the IT occupational space for a minute. In the medical field, there are hundreds and hundreds of fields of practitioners and surgeons all specializing in a specific niche of medicine. By solely focusing on their area of expertise, they have the time and ability to hone in on best practices and solve complex diagnosis and patient cases. So, would you go to an Orthopedic if you needed Brain Surgery? Definitely not.
Like the medical field, the IT field is made up of countless different areas all of which require a specialist with expert skills to both innovate and effectively solve problems. Why would you put the entire scope of your IT infrastructure on one guy or a small team? We’re not saying your IT guy isn’t smart… we’re saying that the magnitude and scope of work is too great for any one man or small team to handle.
Don’t hire a generalist when you need a team of specialists.
An IT generalist will help you with anti-virus, firewalls, email and application set-up—but that’s about it. If something complex were to happen, your IT person or team is going to require external resources and research to solve the problem. Now, your company is at a standstill. In order to solve that complex issue, you need to spend money on resources that you were ultimately trying to save.
Let’s say your company experiences a ransomware breach. Your IT guy may be prepared to check servers, try to find backups or even try to recover the missing information. Once he’s burned through his checklist of skills and past experiences—he or she will likely be on Google or YouTube trying to figure out how to fix the problem.
An IT generalist is something of the past. With technology advancing faster than we care to admit, a generalist just doesn’t offer any value to a company. In fact, if you have a generalist at the helm of your IT department, you have a ticking time bomb.
Most SMBs are unfamiliar with what their IT person or team does –just ask the support team or business owner. It’s even more difficult for a business owner to gauge how well their IT person or support department is performing. The underlying question is how does a manager or business owner quantify the results and performance of an IT person / team? How does he or she know that the IT department is effectively and efficiently handling every component of their IT infrastructure? If it’s a single IT person to 2 to 3-person team there is absolutely no way they’re properly managing the architecture, stability, risk management & security, just to name a few.
IT might be the most important function in a company—more so than sales, marketing or accounting. Even with a team of three very smart IT people, how do you evaluate if the department is managed or even performing well? The sad reality is that an IT person or team will be exposed the minute there’s a breach to their company.
The most common place we see the single or small team of IT professionals fall the shortest is in long-term planning and innovation.
Most IT professionals fail when it comes to long-term planning. They’re great at handling and executing specific tasks—but few have the foresight to implement a company’s goals into a long-term plan. Part of the reason why this is a challenge for an IT person or team is because there’s never time to innovate or conduct adequate R&D for new projects. Additionally, an IT person or team’s budget is generally much lower than a company spends on marketing (read our paper on technology spend to learn how to avoid that pitfall). Finally, the disadvantage of experimenting with a poorly researched and budgeted new solution is the risk of making a troublesome, expensive, or embarrassing mistake.
Ultimately, these inherit disadvantages will come to light and the value of the department will diminish because they don’t line up with the company line of advancing in the 21st century.
So often, when we talk to a company after a major cyber incident—they always tell us how under-prepared they were. What they don’t realize is that the lack of preparation came as a result of the complexities of IT. Moreover, just because somebody knows computers, doesn’t make them the right fit to strategically guide a growing company.
At TetherView we build Digital Bunkers™ for businesses. Our specialists provide and maintain your private cloud services supporting your applications on compliant and highly secured virtual servers and desktops. Your data never leaves your Digital Bunker™ but is securely accessible by your employees on virtually any device that is connected to the internet. Our customers improve their efficiency and focus on growing their businesses, not on their IT infrastructure and cyber-security; that’s our core expertise.
Keep your IT Team in place, and let TetherView provide the infrastructure, desktops, servers, security and compliance. This will enable your IT team to deploy the technology to make your business more efficient, productive and relevant.