Over the last few years, it’s been difficult to go more than a week without hearing another news story about a data breach at an organisation that perhaps should’ve been better prepared.
Back in January 2020, Microsoft left a customer support database holding the private information of over 280 million individuals unprotected on the internet, while in April of the same year, the credentials of 50 million Zoom accounts were found for sale on the dark web and hacker forums.1
Worryingly, since these two breaches cyber crime has increased, in part due to the COVID-19 pandemic and disruptions to traditional working patterns.
In this blog, we’re going to examine the potential cost of a data breach, and in particular the often underestimated consequences you may face if your security is found wanting. These results are often discounted, but can have a disastrous impact on your organisation. Let’s get started.
A data breach is a nightmare for your customers, but a more costly, indirect result could be a hefty fine for your organisation.
Between 2020 and 2021, Amazon was fined an enormous €746 million (£551 million) for GDPR breaches — 15 times the previous highest fine.2 With fines getting that high, organisations of all sizes should be taking cyber-attacks seriously.
The financial impact can be larger than you think
As the Amazon example shows, data breaches have the potential to be financially crippling even for the biggest players in the market. Here are some stats to be aware of, based on where your organisation is located:
- UK GDPR has a maximum fine of £17.5 million or 4% of annual turnover, whichever is greater.
- EU GDPR has a maximum fine of 20 million EUR or 4% of annual turnover, whichever is greater.
- There is no federal data privacy law like GDPR in the US, but some national laws are in place to regulate the use of data. For example, credit reporting company Equifax agreed to pay at least $575 million (£425 million) as part of a global settlement with the Federal Trade Commission, the CFPB, and 50 US states and territories, which alleged that the company’s failure to take reasonable steps to secure its network led to a breach in 2017 that affected approximately 147 million people.
It’s easy to underestimate the costs of a data breach. Less easy is sourcing the funds to pay fines of this size. Having robust cyber security is paramount to protecting your organisation.
Additional reading: For more on the financial impact a data breach can have, check out our blog — The Financial Impact of a Data Breach in 2021
If you search Google for Equifax you won’t have to scroll very far down to find a story about the data breach referred to above, which is now a lasting part of their reputation.
A PwC study suggested that 92% of consumers agree organisations should be proactive about data protection.3 This strongly suggests that the people organisations are marketing to are well aware of breaches — and they are likely to lose trust when one occurs.
The ramifications of reputational damage
It might seem obvious, but the old notion that all publicity is good publicity couldn’t be further from the truth when it comes to cyber security. Some of the secondary problems arising from a bad reputation are:
- A loss of customers: Declining customer trust and a poor reputation is never going to draw more people towards an organisation. In fact, it may actually make them seek out alternatives instead.
- A loss of revenue: Fewer customers means less money. A data breach can literally prevent organisations from earning.
- An impact on stock price (private sector-specific): A little further down the pipeline, but a loss of revenue can have a direct impact on the price of shares — and if there’s one thing shareholders dislike, it’s when the price of their shares goes down.
- An undermining of employee retention: Perceived unprofessionalism can lead to employee dissatisfaction — and even to employees leaving an organisation.
- Recruitment difficulties: News spreads fast, and a negative press story can make recruitment difficult, time-consuming, and even more costly than usual.
- A reduction in funding due to negative press (public sector-specific): The unfortunate reality is that there aren’t many people who will want to invest in an organisation perceived as incompetent.
As we’ve mentioned, the legal ramifications of a data breach can lead to fines and reputational damage. Under data protection regulations, organisations are legally bound to demonstrate that they’ve taken the right steps to protect sensitive data. If this data is compromised, organisations can find themselves compensating affected customers.
In the last few years, there’s been an increase in class action lawsuits in both the US and UK as victims seek monetary compensation for the loss of their data. Indeed, British Airways are currently involved in the largest class-action lawsuit in British history after a data breach in 2018. The claimants’ lawyers have stated that if every victim of the cyber-attack joined the claim, BA’s overall potential liability would be around £800 million.4
Factoring in the fines and the legal fees that a data breach throws up, organisations can face astronomical financial losses. On top of that, governments can also place restrictions on offending organisations, preventing them from performing certain operations until legal investigations are complete.
Another potential cost comes from an organisation’s attempts to right their wrongs and recover the data that they’ve lost.
Once something is on the internet, it tends to stay there forever — so the process of removing personal information from online locations can be next-to-impossible, and incredibly costly in terms of time, money and resources.
Organisations that have encountered severe data breaches may have to shut down until any investigations are complete, the cause is identified, and a recovery plan is defined.
This is taken as seriously as an organisation that’s going into administration or facing a tribunal, and the importance of preventing a security breach before it happens can’t be overstated.
Gartner has suggested that the average cost of network downtime post-breach is roughly $5,600 (£4,100) per minute, or around $300,00 (£222,000) per hour.5 Again, the negative impact of a data breach lies primarily in a monetary loss — proving the huge importance of having cyber security measures that are fit for purpose.
Loss of sensitive information
There are different kinds of data breaches, and we’ve focused on the loss of customers’ private information in this article so far.
However, another underestimated ramification is losing essential data, such as confidential information or intellectual property. Here’s what organisations stand to lose along with their sensitive information:
- Competitive advantage: If an organisation’s strategy gets leaked, there is nothing to stop a competitor from acting against that strategy.
- Sales: Again, losing confidential information might reveal data that dissuades customers from using an organisation in the future.
- Opportunities: Potential partnerships, new customers and even prospective employees can all disappear if sensitive information is lost.
Make sure your organisation is protected
Managed service providers like Six Degrees are here to protect organisations from the disastrous and often overlooked consequences of a data breach.
We help organisations across industries by providing a range of robust cyber security services and solutions, all of which are underpinned by our team of experts.
If you want to stay safe from cyber-attacks, and ensure that your organisation avoids the underestimated consequences of a breach we’ve discussed in this article, get in touch today.
Suggested reading: To learn more about how strategic partnerships can help improve cyber security outcomes, take a look at our blog — Four Ways Strategic Partnerships Improve Cyber Security
Subscribe to the newsletter today
How and Why You Should Adopt a Cost-Benefit…