Is your business resilient enough to weather the storm that is a data breach? Should the worst happen and you find your company's confidential data exposed to prying eyes, do you have a robust incident response (IR) plan in place to help guide you?
A data breach can spur a company to action like few other events we can think of. It takes a good deal of forethought and planning to be able to manage the fallout, reassure customers that their privacy wasn't compromised (and if it was, to outline the steps you're taking to protect them), and so on. There's a lot of adapting required, and that means the more resilient your business is, the better equipped you'll be to come out the other side of a breach intact.
We're going to break this expansive topic into three sections for today's overview, what we mean when we say "business resiliency," a sample of the business impacts a data breach can have on your company, and some concrete steps you can take today to begin developing the resilience your business needs.
Business Resiliency: A Definition
Resilience, resiliency, business resilience, personal resilience, the idea of resilience has taken hold in recent years, and it seems like everyone is talking about it. At the same time, we've noticed a diversity of opinions on just what the word "resilience" means. We take a broad view of the concept, borrowing from the psychological literature on the topic:
"Resiliency: An entity's ability to pivot in order to maintain its core principles and values in the face of a dramatic turn of events."
This definition leaves some things open to interpretation, and that's part of why we like it. Is that entity a person? A corner store? A family? A multinational corporation? The definition applies to all of the above. For a business to fit this definition, its systems must be scalable, processes flexible, and systems adaptable.
One more thing to point out about our working definition, the missing words "return to normal." If there are one lesson businesses are learning during the global COVID-19 pandemic, it's that the future is uncertain, and nobody can accurately predict what "normal" will look like in 6 months' time, let alone six years' time. For a business to consider itself truly resilient, it must recognize that uncertainty and structure its processes accordingly. This resiliency is the key to future-proofing your business for whatever the new normal looks like.
Business Impacts of a Data Breach
So what does all that talk about business resiliency have to do with data breaches? Only everything. An organization with flexible processes and agile systems in place will be better positioned to respond quickly and concisely should the worst-case scenario occur — customer data leaked into the wilds of the dark web.
We go into greater detail about the potential impacts to your business in an upcoming whitepaper, so look for that soon. In the meantime, we're going to give you a sampling of some of the areas that tend to be hardest hit in the event of a breach: financials and brand reputation. As with any business topic, there will be overlap between these. However, there are enough differentiating factors that you'll want to approach them separately.
Financial impacts of a data breach
To many, it will seem self-evident that the bottom line will take a hit with a breach. However, there are hidden costs that many overlook when laying out business continuity plans and data recovery schemes. For starters, if you are located or do business in a region covered by data protection legislation, you'll be looking at potential fines and regulatory fees. The major global regulations, GDPR in the EU, CCPA in California, PIPEDA in Canada, and LGPD in Brazil, for example, all include hefty fines if a company is found to have been non-compliant.
Then, for public companies, you'll be looking at a stock dip. A recent study by the Ponemon Institute found that, on average, companies see a 5% drop upon disclosure of a breach. This same study showed that companies with strong security postures pre-breach could expect that to be much lower, as well as having a much shorter journey to recovery. That strong security posture includes a well-documented business continuity plan and IR protocols.
Then you'll have the costs associated with cleanup and recovery. This category of costs includes everything from legal fees should any affected individuals decide to take action in that arena to bringing in outside forensic security experts to assist in the postmortem investigation. Then there are the PR experts you'll want to bring in to ensure your public statements are empathetic and disclose enough information to placate fears without giving away too much.
Brand reputation impacts of a data breach
This is a controversial topic in certain circles. That's because there's an internal divide in how much responsibility each department has in maintaining your business' brand reputation. While IT generally sees it as someone else's job, marketing tends to see it as a company-wide job. Put that difference down to the differing views each team has on the processes involved. IT deals with systems and infrastructure, so it has an internal view of the business, while marketing handles customers day in and day out, so they're getting the view of an outsider. Either way, it is incumbent on the organization to be aware of the public's perception of the company and to understand the ramifications a data breach has on it.
Communication lies at the heart of maintaining your reputation in the aftermath of a breach. Companies that own up to the fact that they were breached, communicate in a timely manner with those affected, and stay as transparent as possible throughout are the companies who will emerge intact. Maintaining customer loyalty is a tricky proposition in the best of circumstances and only gets trickier when private information is leaked. According to the same Ponemon Institute study, nearly 1 in 3 customers who were involved in a data breach in the last year discontinued their relationship with the business involved. Imagine how much easier it would be to recover financially if you were able to keep those customers instead?
What You Can Do Today To Begin Building Business Resiliency
Now we come to the part where we give you some ideas for how you can begin, today, to build up the sort of business resiliency you need to survive the worst-case scenario that is a data breach. To some extent, this resiliency can help you avoid a breach scenario in the first place by building up your perimeter defenses and implementing choice technologies like a solid IAM (Identity and Access Management) solution. Should you find yourself staring at a security alert saying that you've been breached, these same tips can help guide your response and recovery:
- Develop a strong business continuity plan
- Assemble an executive disaster recovery team
- Test IT and business team readiness
- Craft a crisis communication plan
- Implement regular security testing procedures
- Roll out training programs for all staff
- Lockdown your perimeter
As you can see from this introduction, the relationship between business resiliency and data breaches is a complex one with a lot of moving parts. Having resilient, flexible systems in place is crucial to being able to pivot when necessary in order to maintain your business trajectory, no matter the situation you encounter. We hope that if you take one thing away from this article, it's that how you respond to a crisis scenario will be a major determining factor in how hard you'll feel the impact of a data breach and how long your recovery will take. Reach out to learn more. We'd love to hear from you!
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding billions of login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.