In today’s tech-focused world, every successful company needs to be a digital business. While emerging technologies accelerate digital transformation, they also introduce new risks and exposures. Risk managers now consider cyber risk to be the biggest threat to their business. In fact, security breaches have increased 67% in the last five years. While many CEOs and board members consider cybersecurity a top priority, few companies are well prepared to deal with it. Twitter CEO Jack Dorsey recently had his own Twitter account compromised by hackers, forcing the company to rethink the way they operate. Leaders must set a tone at the top that permeates through the entire organization. Does everyone understand their role in managing risk to the digital business?

Additionally, cyber risk management is too critical of an issue to delegate to one department, such as the Chief Information Officer. Responsibility for risk must be monitored and shared across all business units, and cybersecurity experts should be added to boardroom decision making. To complicate matters further, there is an evolving regulatory terrain that requires constant navigation.

In addition to my work with SSA & Company, I’m also an advisor to G100 Network, a preeminent executive peer to peer convening, learning, and development organization. With cybersecurity on the top of many executive’s minds, G100 has created a cyber program with Melissa Hathaway, former cybersecurity advisor to President Obama and Bush. The program supports better alignment of management and board in assessing and prioritizing threats and incident response preparation. With a meeting on the horizon, I wanted to share some reflections to help distill the key issues and best practices for executives facing these issues.

Data Breaches: Facts and Figures

The 2019 Cost of a Data Breach Report provided valuable insight into key components of major breaches this year. The average cost of a data breach is $3.92 million. The average time for a company to identify a breach is 206 days, with an average time to contain a breach at 73 days. Each of these measures has increased from the 2018 study.

However, when security automation is deployed by a company, those costs can go down significantly.  The cost of a data breach for a company that has no security systems in place is $5.16 million, a 16% increase from 2018.  The average cost for a company that fully deploys security automation is $2.65 million, a savings of $2.51 million.  The average cost per lost or stolen record is $148.  For companies with a team in place, that cost drops to $134 per record. It pays to put proactive safeguards in place.

Causes of Data Breaches

According to the study, most data breaches are the result of hackers and criminal attacks (51%) such as Phishing and Spear Phishing (Phishing focused on a specific email address). Human error accounted for 24% of the data breaches examined in the report while system glitches, such as IT and business process failures made up 25%. It’s worth noting that of the human violations that lead to breaches— including employees disclosing information, mishandling of records, lost or stolen devices, texting private information, accessing information on home computers, and unauthorized employees accessing files— many of them could be mitigated with increased training of employees on the dangers of certain practices.

Key Factors Affecting a Breach’s Cost & Takeaways

The total cost of a data breach is dependent on a number of factors. The following are the largest contributing components:

• The unexpected loss of customers following a breach
• The size of a breach/number of records lost or stolen
• The time it takes to identify and contain a breach
• Management of detection and escalation costs
• Hidden costs of lost business post data breach, negative impact on reputation, and employee time spent on recovery
• Third party involvement in a breach and extensive cloud migration at the time of the breach
• Geography: Data breaches are most costly in the US and the Middle East, least costly in Brazil and India
• Health care organizations had the highest cost associated with a lost or stolen record, at $429, three times higher than average

Lost business following a data breach was found to be the greatest cost component. The study found that healthcare, pharmaceutical, and financial service companies experienced the most lost business following a breach, with average losses starting at $5.7 million.

Health care organizations specifically in the United States, had the highest cost associated with lost or stolen records at $429. This is nearly three times higher than the industry average of $150 per record.

The cost of a data breach varies significantly based on geography. The United States has the highest average cost for breaches at $8.19 million followed by the Middle East at $5.97 million. India and Brazil have the lowest costs associated with a breach at $1.83 million and $1.35 million respectively.

Mega Breaches 

Not only are data breaches becoming more frequent, they are also capturing more data. Mega breaches of over 1 million records cost companies an estimated $42 million, 8% more than last year. Mega breaches of over 50 million records cost companies an estimated $388 million, an 11% increase from last year.

This year, companies that have experienced mega breaches faced massive additional costs in the form of fines and court-mandated retribution to those affected. Equifax recently agreed to pay $700 million to the 147 million consumers impacted by their breach. The Federal Trade Commission ordered Facebook to pay a $5 billion fine following its Cambridge Analytics scandal and breach of up to 87 million users. These exemplify how the wake of a breach can be drawn out for years following the initial incident and have the potential to accumulate costs exponentially higher than originally expected.

Best Practices for the Future

Leaders can strategize to stay ahead of cyber criminals and minimize the impact of breaches or stop them all together. We have compiled a cyber security checklist to help you stay ahead:

• Conduct a risk assessment to identify and focus on the values at risk— your company’s ‘crown jewels’
• Include cyber security and data breach protection efforts in your company’s strategic plan and digital transformation initiatives
• Ensure Automated Security Systems are best in class
• Develop and regularly review your risk management and mitigation plan for cyber security and data protection
• Spell out clear roles and responsibilities, and train employees in advance of an attack
• Craft communications plans for all key stakeholders that can be easily customized for the specifics of a cyber or data breach
• Encrypt sensitive data
• Actively try to breach your own systems to understand vulnerabilities

Conclusion

Companies that balance exploiting digital innovation at the speed of market and designing technology with ethical standards will be the future winners. The adoption of technology qualifications for reasonable use is necessary to accomplish the business strategy, as is a focus on ensuring implementation for those quality standards. Digital innovation in today’s world requires a deeper understanding of the downstream residual impact from technology capabilities, use, and management decisions.

Across all industries, digital is racing ahead. Join the conversation in the comments below and follow my blog for more ideas on how your business can #Run2Digital.