Data breach is a hot topic – and for good reason. Stories about businesses getting hacked are in the news almost every day. And it’s not just large corporations or technology companies that are affected. Any business, large or small, is at risk. According to The Hartford Insurance Company, one third of the data breaches investigated in 2012 took place at organizations with fewer than 100 employees. To hackers, any information is good information, so even small companies are vulnerable.
Why should you be concerned about data breaches? Breaches can have tremendously negative effects on your business, both in terms of cost and damaged reputation. The most obvious is the cost of corrective measures needed in the aftermath of the data breach including forensic investigation, legal services, notification costs, auditing and consulting services, public relations services, credit monitoring and more. According to the Ponemon Institute’s 2013 Cost of Data Breach Study, it costs an average of $188 per individual record that has been compromised.
In addition to being extremely expensive, a data breach can destroy trust and customer loyalty. Ponemon Institute’s study pointed out that for healthcare and financial services companies in particular, the risk of customer abandonment is high post-breach. Had the breaches at Target, Neiman Marcus and other retailers been included in the study, the retail sector would have been undoubtedly at the top of the high risk category.
So what can a business do to protect itself against this threat of a costly data breach?
Internal Risk Management Procedures
The Ponemon Institute studied 54 U.S. companies in 14 industry sectors that experienced a data breach and provided some helpful tips to avoid or at least mitigate the impact of a data breach.
- Encrypt data. Nearly 41% of data breaches arise from malicious or criminal intent. Data that is compromised, but is encrypted is not deemed a breach and therefore does not require the expensive notification and credit monitoring costs to be incurred. As such, the enforcement of an encryption policy can go a long ways to towards mitigating the impacts of such an event.
- Educate employees. Human error accounts for 33% of these data breaches. It is crucial to train your employees on how to properly handle records and customer information. In addition, awareness of social media and email scams can prevent an unwanted party from visiting your IT system. Training and awareness programs are important to prepare employees and give them the confidence to report breaches.
- Set a standard. Require all of your business partners to follow the standard that you set. Roughly 40% of organizations studied had a data breach caused by a third party. Thus, setting a high standard for handling sensitive information for vendors, outsourcers, and business partners is just as crucial as with in-house employees.
- Protect information. Lost or stolen devices (mostly laptops) accounted for 35% of the incidents. Here are a few simple measures that safeguard your information:
- Password protect desktop computers, laptops, and other electronic devices
- Set screens to lock after 20 minutes or less
- Implement a procedure for reporting lost or stolen devices
- Assess. Know what data others value – personally identifiable information of your customers or employees, personal health information or corporate confidential information (your clients, business partners or yours). Perform risk assessments of key data weekly.
- Minimize data storage. The less data you have stored, the less there is to steal or compromise. Only collect the essential information, properly dispose of old information that is not needed, and take inventory of what you have on file.
- Think ahead. Create a formal action plan to investigate a future data breach, notify all concerned parties including customers, credit bureaus and the government, and reconcile records. The organizations studied saw lower costs per record when they had an incident response plan in place before the breach.
Cyber Liability Insurance
Preventive steps are always prudent, but what happens if a cyber breach occurs? One of the best solutions is to have cyber insurance. Cyber liability policies are designed to reimburse companies for costly expenses, such as investigation, data recovery, notification costs, and litigation fees that result from a cyber attack.
Historically, cyber insurance was most commonly purchased by technology firms or financial institutions because of their storage of confidential personal information. Today, retailers, healthcare entities, restaurant chains, and other mainstream businesses and companies across all industries are looking to cyber insurance. An increase in demand has led to a wider range of insurance solutions, and in turn reduced the cost of premiums significantly over the past decade.
Marsh & McLennan Agency conducted a nationwide survey of small, midsize, public, private and non-profit organizations to gauge how decision makers perceive cyber liability, what risks they face and any prevention efforts they’re currently taking. Here's what we found.
To make sure your organization is prepared for a data breach, make sure to stream our seminar on how to void a data breach nightmare.