What’s the real cost of a data breach?
- Aug 01, 2017
- 8 min read
Legislation passed this year means that it may be mandatory for your business to report data breaches to the government and to your customers. This makes your data security more important than ever before.
In 2016 and 2017 the following organisations were among thousands who fell victim to a significant data breach totaling in the tens of millions of lost and stolen records;
Australian Red Cross Blood Service, Australian Health, National Australia Bank, Australian Public Service Commission, Sarina Russo, ABS Bendigo Bank, Melbourne GP Clinic, ANU, ADF Centrelink Gumtree, ATO, Dept of Health and Human Services, Blackburn High School, and Mr Fluffy.
While 2016/17 has seen a number of high-profile data breaches; this is not just an issue for the big end of town. The Symantec Internet Security Threat Report 2017 shows that small to medium businesses were the highest target group in many categories including email scams, malware attacks, data breaches and BEC scams. With new mandatory reporting legislation in place this year, the consequences of a breach could now be a lot more serious.
According to the IBM Cost of Data Breach Study: Australia, malicious attacks caused 46 per cent of data breaches in 2016, while 27 per cent were caused by a negligent employee or contractor, and a system glitch was the source of the remaining 27 per cent.
Under the Privacy Amendment (Notifiable Data Breaches) Bill 2016, organisations will be required to go public on any unauthorised access, disclosure or loss of personal information which is likely to result in harm to the affected individuals.
If a business suspects they have been subject to a data breach, they will be required to carry out an assessment within 30 days. Then, if there are reasonable grounds to believe a data breach has occurred, the business will need to notify the Privacy Commissioner, as well as all the affected individuals.
“The Symantec Internet Security Threat Report 2017 shows that small to medium businesses were the highest target group in many categories including email scams, malware attacks, data breaches and BEC scams”…
The cost of the assessment and notification process, as well as the cost of the interruption to your business is not something that many businesses, especially small to medium businesses, have ever prepared for, and that should be a concern.
Failing to disclose could also prove expensive, with businesses facing a range of potential penalties, including fines up to $1.8 million.
Every business has information that is confidential in relation to the privacy obligations that apply, even if it is just their own employee records, so maintaining its confidentiality is a serious matter.
TBIB’s Managing Director Sean Bemrose cautions businesses to not adopt an “it won’t happen to me” approach.
“Of course, businesses that retain a lot of their clients personal information such as lawyers and accountants, financial services businesses such as financial planners or mortgage brokers and medical based businesses are at the highest risk, but really any business that relies upon their IT infrastructure and access to electronic information are at risk – even just from the interruption to their normal business activities”
Sean believes that being aware of the potential for a cyber attack can go a long way to protecting a business from the reputational damage and financial costs that accompany a data breach.
“The primary risk is opening an infected email attachment. That’s where malware gets into your system. Viruses can be in your network for months before they are detected and they can be accessing information the whole time”
The IBM report on the cost of data breaches in Australia shows that the average cost of managing and rectifying a breach is approximately $140 per compromised record.
Although the financial cost is high, IBM says the biggest consequence of poor data security is a loss of business following a breach.
Here are three strategies to help keep your data safe.
- Establish robust data security protocols
Your first line of defence against cybercrime is having a strong set of processes around your data security and up-to-date security software. Your systems, and those of your partners and suppliers, should be regularly tested for vulnerabilities, and a risk assessment and management process put in place.
Be aware of your industry compliance obligations such as payment gateways and your storage of private information.
The big thing here – that most businesses don’t do very well – is to foster a culture of caution and care from top to bottom in the business, and create effective management reporting processes.
“Although the financial cost is high, IBM says the biggest consequence of poor data security is a loss of business following a breach”…
Only collect the data you need – the less you have on your system, the lower the risk if a breach occurs.
- Get expert help if you suspect you’ve been breached
If you think there may have been a breach of your data, get the right assistance as quick as possible. Whether is it expert IT support, legal advice or even public relations help – remember, delays are costly.
- Consider taking out cyber insurance
Cyber insurance can help cover costs related to a data breach. Cyber insurance can cover first-party costs, such as having an IT expert come in and wipe the virus, or the cost of reporting the breach and even the interruption to your business. It can also cover your liability costs if an affected client takes legal action.
If your business uses customer information, has a website or web-shop, or communicated to clients on email, you are exposed. You need to understand and manage that risk, and have the right advisers to help you navigate the way ahead. When it comes to insurance, make sure your broker understands the complex risks and who understands your business.
Our brokers and claims team are small business specialists, and can help you understand the full range of risks that you will face in business. We’d love to help you – please email us on firstname.lastname@example.org or call us on 07 3252 5254 and talk to one of our brokers.