A data breach can destroy a business. For small- and medium-sized businesses (SMB), this is really especially concerning, as 60% will shut down within six months of the attack. While larger companies and agencies likely won’t have to shut their doors, they, too, suffer serious consequences. There are financial costs, which Ponemon Institute and IBM determined average $ 4.24 million, with 38% of that total coming from lost business. The hit to a company reputation after a breach takes its toll; consumers want to conduct business at companies that they deem safe. At least, they want to conduct business with those capable of keeping attackers away from their personal data.
Those are the external data breach consequences that every organization should be familiar with. But there is another price to pay for cyber incidents and that is the internal impact after the initial fallout. It will affect every department within the company in some way.
A Data Breach Can Pit the CEO Against the CISO
In the past, the CEO could raise their hands and say, “Hey, that data breach is the fault of the chief information officer (CISO). They’re in charge of protecting the company, not me. “
That’s not the case anymore. As the face of the company, people hold the CEO at fault. That includes consumers who walk away and shareholders who feel financial impacts. Those folks do not understand the inner workings of cybersecurity systems. So, of course, the CEO is going to be the fall guy. And sometimes they deserve that.
Cyber incidents put leadership in the spotlight, and not in a good way. A massive breach in a well-known company or an organization that handles sensitive data for tens of millions of people is going to make the CISO look bad. After all, it looks like a performance error. It makes the CEO look bad for a lack of support. The CEO may think the best solution is to throw money at the problem. They might offer customers great discounts or spend millions on a marketing campaign to redeem their reputation. Meanwhile, the CISO thinks the best course of action is telling the customers the truth about what happened. The CEO might believe the situation is resolved as soon as the company discovers the breach and stops the data leaks. However, the CISO knows there is more to discover from the cybersecurity side.
What it really highlights is CEOs and CISOs do not speak the same language. How they handle the mitigation is the difference between someone keeping their job or facing a very public dismissal.
Poisoned Search Results on Your Corporate Brand
Nothing truly disappears on the internet, something your chief marketing officer (CMO) will discover after a cybersecurity incident. Some companies will be forever tainted with the damage a data breach did to their reputation. That sticks no matter how long ago it was.
CMOs and the marketing department will spend months, if not years, in damage control after an incident. They’ll need to combat every Google search that includes the company name and the term ‘data breach’. And then there is social media to monitor. They need to organize responses throughout the team and across corporate platforms to make sure everyone is using the same positive spin. Just when they think enough time has passed to move on to something else, someone will make a negative comment on social media.
For some companies, especially SMBs, the damage to their good name is more difficult to overcome than the financial damage. If the customers are local and their personal information has been compromised, they’ll lose trust. They’ll tell others they lost trust. Sometimes the damage is too great for the marketing team to fix.
Loss of Sales After a Data Breach
Reputational damage also leads to a loss of customers and, in turn, a decrease in sales. When current customers lose trust in a business, they begin to look elsewhere. That might lead them to a rival who has not had a cyber incident. Poisoned Google searches and regular negative reports on news outlets will turn off potential new customers.
While the marketing team is looking at brand restoration holistically, the sales team is on the front line. They’ll answer questions from customers about the company cybersecurity – and they may not have any good answers beyond the corporate talking points. It’s a baptism by fire for sales teams.
The chief financial officer (CFO) is responsible for keeping the company running within its budget. A data breach throws that budget all out of whack. If the company has cybersecurity insurance, this could relieve many of the unexpected costs, but the Harvard Business Review warned that organizations are either downsizing their cyber insurance or not purchasing it at all. Even if there is insurance to count on, cyber incident claims are complicated and may not cover the costs.
There is also the lost income in downtime to consider. Plus, there’s the worst-case scenario: what to do in a ransomware attack. In the end, the arbitrator of paying or not paying a ransom will be the CFO. They have to decide if the company can afford to take a loss of millions of unrecoverable dollars.
Less Attractive to New Employees, Especially in Tech Positions
A data breach will result in employee turnover, especially at the executive level. Some will be fired because of the breach’s repercussions. Others will leave because of the stress involved with mitigating an incident. Blame and stress also trickle down through the ranks, resulting in turnover of staff.
Your company will need to replace those employees and that might not be very easy. Anyone who comes into the company at an executive level will have to start with post-incident clean up.
IT and security professionals are the ones on the front line of defending the network. Thanks to talent shortages, the demand for people with these skills is high. IT and security pros can afford to turn down a job from a company with faulty security systems. This makes the human resources savings job much more difficult, as well as extends the mitigation time.
Legal Penalties After a Data Breach
The legal team also faces ramifications in the post-breach era. They have to ensure state and federal laws are followed regarding consumer notification. Organizations that work with an international customer base also have to handle the fallout of global data privacy compliance violations.
If the organization faces litigation as a result of the breach, the legal team will spend hundreds or thousands of hours preparing briefs and pouring through discovery documents and forensic reports to find anything that will protect the company.
A data breach is more than a moment in time that compromised sensitive information. Its mitigation responsibilities belong to more than the IT and security teams. Everyone in the company feels the repercussions, beginning with the C-suite.
All companies face thousands of attacks a day; all companies face cyber risks. Your company becomes more valuable when you have two things in place. First, you need a cybersecurity system that prevents those attacks from becoming full-blown incidents. Second, you need a data breach response team in place, with representatives from each of the primary departments across the company. They’ll prepare with a plan to put mitigation efforts in action before the ramifications hit.