Evaluating the true costs of a data breach

The costs of a data leak or data loss are rapidly accruing, with the total average cost per data breach within Australia now sitting at $AUD2.82 million, according to a 2015 study from IBM and Ponemon Institute. Moreover, the average cost per lost or stolen record has reached $AUD144, while the average number of breached records per incident is just under 20,000.

While the cost of a data breach is rising, so is the number of cases. In the last few months, we’ve seen a number of high-profile hacks and leaks targeting such companies as NSW Trainlink, Gumtree, Cabcharge, Menulog, Sydney University and LinkedIn within Australia and globally.

What these headline-hitting cases highlight is the potentially far reaching impact of a public data breach. The implications aren’t just financial, they can also impact consumer confidence and trust in an organisation and when this happens, a company’s bottom line can plummet.

In addition, with the expected introduction of data breach notification laws in Australia in the next few months, businesses will become even more legally accountable to their customers and likely more susceptible to civil litigation.

But do organisations truly understand the risks and consequences of a data breach?

It’s no longer a few negative headlines and a slap on the wrist from regulators. Data breaches - no matter how serious - can have lasting repercussions that seriously affect how a business operates and competes. It is worth noting that the damage isn’t always immediately apparent and it can take months for the real effects of a breach to appear.

The damage of a data breach

While there are countless ways a breach can damage an organisation, there are three key business areas that experience significant repercussions.

• 1.Financial
• 2.Operational
• 3.Reputational

While this may seem like one of the most obvious effects of a breach, the actual financial damage goes beyond a loss of revenue or providing compensation to affected customers. Organisations now have to take into account fines that can be issued by regulators.

By digitising, capturing and utilising data, organisations can put in place initiatives to transform business productivity and innovation. However, within an organisation, a breach can result in data paralysis, where employees and customers alike are too scared to embrace data-led initiatives. It can take months, if not years for a business to get past data security concerns - making space for competitors to move in.

The reputational impact of a data breach can be one of the hardest areas to measure, yet one of the most serious. For example, the breach of Canadian infidelity based dating website, Ashley Madison has effectively crippled the business’s reputation and may make it difficult for the company to attract new customers and provide reassurance that their (highly personal) data is secure.

With all of this in mind, it is no surprise that the threat of data breaches is rapidly moving up the corporate agenda. For example, Macquarie University in Sydney, in partnership with Optus Business recently announced the creation of a cybersecurity hub dedicated to research and consulting. The two will invest $10 million over the next seven years.

Moreover with so many high profile cases being leaked to the public, businesses are increasingly realising the need to take the “front foot” by notifying affected individuals as soon as possible. Recent Deloitte research indicates that less than one third of Australian consumers who are notified of a data breach will actually lose trust.

The data challenge

A knee-jerk reaction to imposing security measures in anticipation of a data breach can open up further vulnerabilities. If staff are too scared to handle their data correctly or don’t know what polices and rules are in place, there’s a greater chance of something actually going wrong.

To tackle the data challenge, organisations need to take a holistic view of how they handle data. Existing processes simply won’t cut it in today’s data-rich environment.

The key to ensuring data security, while avoiding taking the hasty route is a three-step approach incorporating data policies, staff training and data protection technology.

Staff need to know what they’re permitted to do with the data, the measures they need to take in order to protect it and that there is a procedure in place that can limit the impact of the breach, should one occur.

Ultimately, a data breach is one of the most serious and increasingly common business threats and it’s only by understanding the full impact of a breach that organisations can safeguard themselves.