We have seen fundamental changes in the rulebook for storing data of Australian citizens since the implementation of Notifiable Data Breach legislation (NDB) last year. Now, one year on, we can look back at how legislation has changed the cybersecurity space, as well as the consequences of not complying.
The biggest change is around transparency, as businesses are now obligated to notify individuals whose personal information has been involved in a data breach. Introduced at a similar time to the EU’s GDPR, the increasing number of data breaches, as well as magnitude of damage, saw government intervention on a global scale. So, with NDB well and truly in motion, just how much will a data breach cost your business?
Of course, there is the monetary loss involved in a data breach. Up until recently, it’s been difficult to calculate the exact cost of a data breach, given many companies are unwilling to share just how much they spent cleaning up the damage, or the drop in sales figures. Some research provides a rough guide, with the annual Ponemon Institute’s Cost of a Data Breach report indicating the average cost to Australian organisations is currently US$1.99 million, or US$108 per data unit.
Within the US$108 per capita cost, $47 is a result of direct costs, while the remaining $61 are indirect costs. Indirect costs involve the cost of resources, such as employees’ time. Indirect costs also include the loss of goodwill and customer churn. Moving forward, we should start to see a clearer picture of the tangible financial cost of a data breach through legislation like NDB.
In addition to the monetary loss, there are intangible damages to the business which are even harder to calculate. NDB means greater transparency into when a business has suffered a breach, which holds the potential for companies to suffer reputationally as well. As consumers become more aware of the increasing number of breaches out there, they are starting to understand they have the power in the relationship.
Companies must understand that if they are breached, consumers will simply go to another brand they consider to be more secure. In a recent study of 10,500 consumers globally, Gemalto found that Australian consumers are more likely than their global counterparts to walk from a company that had experienced a breach. The study found that over two-thirds (70 per cent) report they would walk if financial and sensitive information such as card details and bank accounts were accessed, and over half (55 per cent) report they would walk if any passwords were compromised.
Reducing the Cost
So, with regulation increasing transparency and consumers more aware than ever, how can businesses avoid being the next headline?
Businesses must ask themselves not if, but when they can expect a data breach, and ensure they are taking charge and adopting the right strategies to defend themselves. The focus must be on securing the most sensitive data a business has from the core outwards. Too many companies attempt to secure the outside and leave the data exposed, meaning if a hacker was to break in, they have free access. Encrypting data, securely managing the encryption keys and storing them securely, while also managing and controlling user access, are crucial steps for businesses to take to protect themselves.
With nearly every business using the cloud and the continued emergence of IoT, businesses have never had such opportunities to grow, but with that comes an increased attack pool to defend against. It’s crucial that organisations have the right security methods in place and build customers’ security confidence to avoid losing customers and facing legal battles. By implementing solutions such as encryption, businesses can essentially adopt what is known as a ‘secure breach’ strategy, whereby if they are attacked, their data can’t be accessed.
Investing in this strategy moving forward is the only sure way businesses can protect themselves from the financial and reputational consequences that are becoming more prominent in news headlines. The true cost of a data breach may vary from business to business, but loss is inherent in a breach, and companies shouldn’t be running the risk of finding out what their price is.