A half-hearted approach to PCI compliance can put you out of business within months.
Cybercrime is up 600% since the start of the COVID-19 pandemic. A record-breaking 1,291 breaches were reported in the U.S. in the first nine months of 2021. Forty-three percent of the victims were small businesses.
It’s one thing to “do” PCI compliance. It’s another thing to do it properly. If you aren’t as serious as a heart attack about protecting your company’s sensitive data, you could be flirting with disaster.
The impacts you experience will go beyond the obvious financial costs — although you may be surprised by them as well. Let’s take a look at the effects of a data breach on a typical business.
Consider for a moment the enormous operational affects a single cyberattack can have on your organization. Certainly your IT department is suddenly in emergency response mode, but you’re also likely to face major interruptions to your entire operations.
You’ll need to discover how wide and how deep the attack went. That means unplugging your computers, isolating servers and devices throughout your organization, and locating the threats.
Your people are spending their time responding to the incident — replying to client inquiries, rewriting software, patching vulnerabilities, investigating your entire cybersecurity program, and doing additional security testing. Meanwhile, everything you had planned to do for business growth is put on hold while you try to save your company.
In the case of a ransomware attack, you’ll be locked out of your own system, shutting down some or all of your operations. If you have lost data, you’ll have to recreate it or limp along without it.
Executive leadership will be forced to deal with triage, cleanup, and fallout for months and possibly years. That includes negotiating ransoms, meeting with legal teams, reassuring clients, coordinating externally facing communications, frequent update meetings from your cleanup team, and conducting investigations.
A cyberattack leaves a crater the size of your organization, and you’ll spend a truckload of money digging yourself out of that hole.
Wasaga Beach is a small town in Ontario, Canada. When their municipal government was hit by a ransomware attack, they negotiated a ransom of about $35,000. But the total costs of the attack were much higher.
The City had to hire consultants and update their IT infrastructure. There were overtime costs and productivity losses as well. In the end, the cyberattack cost the town a total of nearly $252,000 — seven times more than the ransom itself.
The fact of the matter is, Wasaga Beach got off easy. At the end of the day, most organizations in their position would be spending ten times that amount.
Won’t cyber liability insurance cover those costs? Depending on your circumstances, you might be surprised to find out that your insurance won’t cover a dime. If you’re merely taking a cursory approach to PCI compliance, the insurance company will see it pretty quickly. They’ll also see that you’ve misrepresented yourself on your insurance application survey, which nullifies your protection.
Not only will you not receive help from your insurance, your premiums will skyrocket.
Other cleanup costs you should expect:
- Cybersecurity consultant fees
- New cybersecurity technologies
- Replacement equipment for your workforce
- Public relations support
- Legal fees
- Employee overtime
Why spend millions of dollars making improvements after the fact, when you could have invested thousands of dollars to avoid catastrophe?
Your customers depend on your company to fulfill your contractual and inferred obligations to protect the sensitive information that you have access to. They trust that you take their security as seriously as they do. If they discover that you cut corners on your PCI compliance, it won’t be pretty.
A cyberattack inherently has seismic ripple impacts to your clients, partners, and vendors. You may have been the target of the attack, but it’s their data that’s been compromised. They’re the ones suffering as a result of your security failures.
History shows that companies hemorrhage customers after the announcement of a data breach. Not only will your existing clients take their business elsewhere, your sales team will have an astronomical challenge to make new sales. Go ask them how easy it is to land business today, and how much more difficult it would be.
Every time a prospective customer does some online research on your company, they’ll see the news about your data breach. Any organization that ends up with their name in the headlines is going to face a great deal of pain for a good amount of time.
Now you’re losing business while bleeding money. That doesn’t bode well for the patient.
If the data breach causes harm to your customers or vendors, they can seek legal damages in court. Your company is subject to state laws regarding data protection and data privacy. There may be severe fines for failing to do your due diligence, depending on the level of breach and the number of people affected by it.
You can also face legal action if you don’t respond quickly and notify authorities and affected individuals about the data breach.
Even if you manage to avoid a lawsuit, it becomes a legal matter as soon as you discover you’ve been hacked.
Your legal team will scrutinize every word before you issue a statement to your customers and other stakeholders. You’ll need to contact every affected person in your database. There will be extremely uncomfortable public statements about why the data breach happened and what you’re doing about it.
Hiring and Staffing Woes
If you’ve had a hard time staying fully staffed lately, your challenges just took a quantum leap. Nobody really wants to be associated with a pariah and a cyberattack puts you at risk of losing your top-caliber talent.
Not only could you lose good people, you’ll also find it hard to hire good people. Aside from security and IT personnel who love a good challenge, hiring rock-star employees could be darn near impossible.
On top of that, your breach may reveal that you didn’t have the right people to begin with. If human negligence was part of the root cause of your data breach, you may be firing a number of employees, reducing your workforce even more.
Layoffs could be a reality as well, if your revenue takes a large enough hit while you’re struggling to land sales.
It’s no wonder that most small businesses and many larger organizations don’t survive a cyberattack.
Protect Your Business with Confidence
Fortunately, that doesn’t have to be your story. The reality is, when you run a security and compliance program correctly, it’s a shield for your organization. It makes your company stronger and better protected.
The investments you put into your program are far more effective than the dollars spent on cyber liability insurance, which should only be an emergency parachute.
While there’s no guarantee that your business will never be breached, your risks are dramatically and actively reduced. In fact, Verizon reports that in ten years of investigating PCI DSS compliance, they never found a company that was fully compliant at the time it was breached.
Taking PCI compliance seriously can save your company from going out of business.
Need to know how to get started with taking PCI compliance seriously? TCT’s ebook, The No-B.S. Guide to Hit the Ground Running for PCI DSS 4.0, gives you everything you need to know about getting your act together and doing PCI DSS the right way. Download it today.