Your business data is the most precious thing you own--really. Think about it: Your customer records, your financial transactions, your business knowledge, your private employee information. Without this data, your company would collapse in a giant heap.
In an independent study conducted last year by the Ponemon Institute and sponsored by IBM, those surveyed revealed a shocking truth about data breaches. We already know the costs of a breach can be astronomical--e.g., fines for a violation in the health care sector can easily run up to six figures or more. Yet, the survey found that reputation management costs after a data breach can run as high as $5M per infraction.
What is reputation management?
Small companies often go to any means necessary to restore a damaged reputation--new advertising campaigns, adding security services, posting to social media. Lost trust with customers, employees, and vendors has to be rebuilt. Restoring a reputation to the level of confidence it enjoyed before the breach can cost more than the breach itself. It's a process that often requires help from consultants, social media gurus, and security experts.
The survey found that, while a breach might be a one-time event--e.g., the Target fiasco in which credit and debit card numbers were stolen in 2013--repairing a corporate reputation can take several months or even years.
"The strong linkage to business continuity management will allow a company that has already suffered a data breach to rebound more quickly and more smoothly--and that can save some of the negative impact to reputation," says Laurence Guihard-Joly, an IBM spokesperson for data continuity. "Business continuity enables a faster and more agile recovery, which in turn reduces the impact to reputation [losses]."
What's the harm?
Guihard-Joly listed a few examples of post-breach issues. If customers are not able to log in to a site after a breach, they might take their business elsewhere. Once a retailer is seen as vulnerable, more criminals might try to commit fraud unrelated to the data breach itself. If an IT services company has a network outage that results from a data breach, vendors might wonder if the company is lacking in other areas.
It is possible to minimize the costs associated with reputation problems caused by a data breach, as long as there is a plan on how to resolve the issues quickly. Letting problems linger--e.g., not fixing a login to a secure site quickly to ensure that a financial institution is not vulnerable to further attacks--means the reputation issues also stay unresolved.
Winning them back
According to Guihard-Joly, there is a high cost associated with winning back the trust from customers and vendors, and the reputation-management payouts can run as high as $100M for a severe incident. "These costs include the idle time of users [not being productive], the forensics used to determine the cause of the outage, technical support to restore the systems and data, reputation and brand damage, lost revenue, and compliance or regulatory failure," she says.
Many small businesses forget about the dangers of a security breach and hope it never happens, she says. They don't put a disaster recovery process in place and don't test the process to make sure the company can regain a foothold.
Back in business
Another shocking revelation from the study last year had to do with the number of companies that didn't bother with any continuity plan at all. According to the study, 31% of small businesses do not have a plan on how to recover from a data breach. Another 26% have a basic plan in place but it is untested and unverified.
"Smaller, unregulated businesses may choose to take a risk or they put recovery plans in place, but then through budget cuts and attrition, the people leave that developed the processes and procedures," says Guihard-Joly. "Those who step in don't test and they may think they are covered, but they are not. They are one event away from experiencing catastrophic damage to their reputation and significant financial damage to their business."
Of course, the ultimate solution is to create a continuity plan--e.g., to know exactly what steps you will take if a data breach occurs and have a plan for restoring a reputation in addition to the security infrastructure you use to prevent the breach. The faster that happens, the less cost overall for the data breach. Those who fail to create a recovery plan are the ones who end up headlining the evening news.