In 2013, we saw the start of a series of massive data breaches impacting organizations of all sizes, across a variety of industries. Ranging from retailer heavyweights such as Target, to regional grocery chains like Supervalu. In 2014, we saw organizations like Home Depot, JPMorgan Chase and eBay fall victim to a data breach, compromising a total of roughly 330 million personal records.
Now that we’re halfway through 2015, we’ve experienced one massive data breach involving Anthem Insurance Companies. While this is the only publicly announced data breach for 2015 that compromised over 70 million records, we’re seeing hundreds of smaller data breaches that go undetected for months, even years. We’ve seen the lasting effects a data breach can have on a big name retailer, but how do small businesses fare when facing a data breach?
What's At Risk?
When operating a small business, many of the every day challenges that revolve around network and payment security do not necessarily equate to the challenges larger organizations face. Outside of the direct loss of customer personal and payment information, there are additional costs that are directly related to a data breach.
After the dust had settled following Target’s data breach, the retailer is reported to having spent $200 million on the reissuing of new credit and debit cards by the financial institutions affected by the breach. Along with additional $100 million Target is estimated to spend to upgrade its payment terminals to help prepare for the upcoming shift to EMV-enabled cards. These costs are separate from the $88 million in breach-related expenses, bringing Target’s total cost to over $236 million.
While the costs associated related to Target’s data breach would not accurately predict the cost of a data breach for a small business, the short and long terms consequences of a data breach are very similar to that of a larger business.
- Loss of data and personal records of customers
- Financial loss
- Lost customers
- Immediate loss in profits due to lack of sales
- Data breach notification
- Cost of reissuing compromised cards
- Legal fees
- Regulatory Fines
- Brand and reputation damage
- Jobs lost (C-suite included)
- Forensic firm and other third-party costs
- Class action lawsuits
- Updating and fixing network security
- Identity and Credit Monitoring Services
- Long term drops in investment
For many of the short-term consequences, the impact they have on a business can be easily quantified due to the immediate costs associated with lost customers and data breach notification costs for example. While the long-term consequences associated with a data breach are not as clear, we do know that the impact on small businesses is great. 60 percent of small businesses fold within six months after a cyber-attack or data breach.
Maricopa County Data Breach
In January of 2011, an IT employee at the Maricopa County Community College District (MCCCD) was approached by the FBI regarding one or more of the MCCCD’s databases that were available for sale on the internet. Maricopa County Community Colleges is composed of 11 small community colleges in Arizona serving more than 260,000 students each year. After completing an internal investigation and consulting with forensic experts, the MCCCD claimed that the security incident had been resolved.
Fast-forward two years to April of 2013, the MCCCD was approached again by the FBI, informing them that fourteen of its network servers were listed for sale on a website. It was later discovered that a MCCCD employee in 2011 failed to meet company security standards, which in turn led to the security incident in 2013. After MCCCD conducted an investigation into the scope of the data breach, it was determined that over 2.5 million records of current and former students and employees were compromised.
As the MCCCD continues to face the long-term consequences of a data breach, the associated costs are beginning to be quantified. When adding up the costs of updating network systems, credit monitoring and record management, the MCCCD is spending nearly $20 million in data breach costs. The board of the MCCCD also approved $2.3 million in spending to allocate the associated legal fees for two class-action lawsuits currently filed against the MCCCD for the delay in notifying affected customers.
What Can A Small Business Do To Protect Itself?
We’ve taken a look at the risks associated with a small business that suffers a data breach, the short and long-term consequences that occur after a breach is discovered and covered a real-life scenario of how a smaller organization can be severely impacted by a data breach. But how can a small business best ensure their network systems and customer’s personal information stays out of the wrong hands?
Cyber Liability Insurance
Organizations of all sizes realize that having a great defense is the best offense to combat against cyber attacks. With so many different attack methods and scenarios where data theft can occur, there is not a single security solution that can stop data breaches. Many businesses are now turning to cyber/data breach insurance to help offset the financial impact of a data breach.
Detection & Prevention
Having cyber insurance will help protect a small business from folding after a data breach has occurred. However, organizations need a proactive solution to combat against security and data breaches. And the best way to protect one’s small business is to employ an ecosystem of security solutions that work together to catch fraudulent spend quicker and put an end to data breaches much faster.
Small businesses need to employ data breach prevention solutions to limit the amount of successful cyber attacks, and for the attacks that are successful, a data breach detection solution is important to reduce the scope of the breach.