Best practices for reducing the cost of a data breach

Having a strong IT security posture, CISO and incident response plan are key


There are two cost elements to consider when it comes to data breaches: the upfront investment to prevent a data breach including technologies, staff time, and other resources and post-breach management when a data breach does occur. The latter is the key in possibly saving your company from significant financial losses.

Because frankly, a data breach will occur at some point to companies both large and small.  In fact, any organization can be a target with most notably the financial, healthcare and government sectors being hit hardest.  Major breaches can affect thousands to millions of people, which can translate into thousands and millions dollars lost for your company if the incident is not handled properly.

Where to Start

A recent Ponemon Institute report shows that organizations can greatly reduce the cost of a data breach by having a strong IT security posture, a chief information security officer (CISO) and an incident response plan.

Unfortunately, many companies are not as cyber secure as they should be.  The study, “Is Your Company Ready for a Big Data Breach?,” showed organizations are not employing essential procedures such as requiring mobile devices to be tested for security prior to connecting to networks or enterprise systems, improving access and authentication practices to make sure that only the appropriate employees and contractors have access to its information systems, and  encrypting sensitive or confidential personal and business information stored on computers, among other protocols. 

Besides the technology side of it, a company should assess its personnel and employ a role to the level of a CISO as well as appropriate support staff.  According to the same study, only 29 percent of respondents say their organization has a department or function designated to manage data breach incidents and of the respondents who do, only 32 percent employ a CISO.

Lastly, having an incident response plan is crucial.  A plan can help you act quickly if a data breach occurs and acting quickly can help to prevent further data loss, significant fines and costly customer backlash. The plan should include identifying who is the incident response team lead and members of the team, what their roles would be in the wake of a cyberattack, and what outside partners should be contacted, among other steps. For a useful tool to get started on your plan, download a free Data Breach Resolution Response Guide.

Key Financial Factors

There are elements of a data breach response plan that, if not executed properly, will directly affect your bottom line.  These factors include navigating the legal landscape and communication to affected parties and the media, which can make or break your reputation.  The study, “Reputation Impact of a Data Breach,” shows reputation is noted as one of an organization’s most important and valuable assets.  The value of that reputation based on an estimate among nearly 850 executives surveyed was determined to be an average of $1.5 billion.  With these elements in mind, the following are additional key tips to mitigate the financial impact of a data breach:

Engage outside counsel – Enlisting an outside attorney is highly recommended. No single federal law or regulation governs the security of all types of sensitive personal information. As a result, determining which federal law, regulation or guidance is applicable depends, in part, on the entity or sector that collected the information and the type of information collected and regulated. Unless internal resources are knowledgeable with all current laws and legislations, it is best to engage legal counsel with expertise in data breaches to help navigate through this challenging landscape to avoid regulatory fines and potential class-action lawsuits.

This content continues onto the next page...