Unauthorized data intrusions have been occuring with alarming frequency. From the highly sophisticated 2021 incident better known as the Pandora Papers to the massive hospitality breach that caused the personal details of millions of MGM hotel guests to be exposed on the dark web, such incidents are a distressing fact of modern life.
It’s tempting to think of the risk of a data intrusion as an unavoidable cost of doing business. And it is true that preventing sophisticated forces from doing what they will is difficult, if not impossible, for most enterprises.
Sadly, 60% of small businesses go bankrupt within six months of data breach. Therefore, sound data security is more important than ever.
Yet we underplay the consequences of successful data breaches at our own peril. Even a “minor” incident can have lasting ramifications for affected individuals and firms. Let’s take a look at a few of these in turn and why you need to prevent these data breaches.
1. Damage to Your Corporate Image
This downside is perhaps the most difficult to quantify because it’s hard to pin a value on your reputation in the first place. Suffice to say that any damage to your corporate image is bad for business — perhaps over timescales far longer than the inciting incident and your direct response.
The threat of lasting damage is what compelled Asiaciti Trust and others to clean up the technical and reputational damage caused by the Pandora Papers incident. It’s what drove firms like MGM International and Capital One (another recent data breach victim) to disclose their own vulnerabilities too.
2. Financial Costs to Restore Lost Data
Restoring lost data is often not as simple as pressing a button following a data incident. That’s because such incidents often corrupt corporate and personal data, making it difficult to determine what needs to be restored. Depending on which systems and data the incident affected in the first place, version control could be an issue as well.
3. Time Costs to Restore Lost Data
It takes time to restore lost data as well. And your firm’s time may well be more valuable than its money in the aftermath of a data incident, when your team will be working overtime to get back to normal even as “business as usual” goes on (or tries to go on, anyway). Time spent on data restoration — a basic incident response need that can’t be delayed — is time not spent on your public response.
4. Resource-Intensive Crisis Response
This matters because said public response is very resource-intensive. And, like data restoration, it really shouldn’t be delayed once the public learns of the incident. (They almost certainly will learn about it, even if you don’t tell them. The incident that affected Asiaciti Trust and its peer firms was first reported in the media, not by any of the impacted organizations.)
Any internal resources devoted to your response — people, software, creative labor — are resources you’re not spending on “business as usual.”
5. Post-Incident Analysis and Remediation
This merely adds to the financial and time cost of a data incident. And those additions are often significant, as an effective postmortem generally requires outside expertise — forensic cyber experts — who work for weeks or months to figure out what happened and what can be done to prevent a recurrence.
That second part — preventing a recurrence — takes even more time to ensure. Depending on the outcome of the investigation, you’ll likely have a laundry list of action items that you’ll need to pay outside contractors or internal IT staff to implement.
6. Expense to Hire Legal Counsel, If Needed
If your data incident places your firm in legal jeopardy or requires negotiation with stakeholders, you may need to retain legal counsel with cyber liability expertise. These professionals are difficult to come by (though becoming more plentiful every year) and charge a premium for their services. But you might not have a choice.
7. Payouts to Affected Customers and Stakeholders
Finally, if the data incident materially affected any of your firm’s stakeholders — including customers — financial compensation may ultimately be in order (or required of you). This can take years to materialize, but it’ll hurt when the time comes to pay.
Prevention Is the Best Medicine — But It’s No Cure
Every one of these data intrusion consequences is bad for your business. It might cause a direct financial loss or a more subtle erosion of consumer confidence in your brand, but either way — it’s not a headache you want to deal with.
Clearly, prevention is the best medicine. And while it’s foolish to think that you can reduce your risk of a data intrusion all the way down to zero, you can do more to make yourself less attractive to the bad guys than you realize.
That’s a topic of conversation for another day. But now that you understand the downsides of leaving yourself vulnerable to data theft, it’s a conversation you’ll want to have sooner rather than later.