On January 11, networking equipment and IoT device vendor Ubiquiti Networks sent out notification emails to its customers, informing them of a recent security breach. As with every other breach notification I’ve ever read, the email concluded by stating, “We take the security of your information very seriously.”
Customers weren’t buying it. Go to their user forums and you’ll see at least 11 threads in response to the security breach notification. Ubiquiti’s customers are demanding answers. Some are deleting their accounts, others are confused about what the breach means for them. In almost every case, trust has eroded.
Ubiquiti isn’t unusual. When Target was breached in 2014, their profits took a 46 percent hit.
Don’t Tell Me You Care About Security
Let’s be honest, there’s something wrong when a CEO says they care deeply about security, when it’s stated in a notification about a security breach. Every breach notification ever written says “We take your security seriously.” The truth is, if these organizations had really prioritized security, it wouldn’t be likely they’d be sending a notification in the first place.
Granted, there are some cases where the cause isn’t the company’s fault. Perhaps there’s a new vulnerability that nobody knew about. Or, despite thorough employee training, somebody dropped the ball. It happens from time to time. But those are edge cases.
Sadly, too many companies walk right into a data breach because they prioritize “business needs” over security and don’t take seriously their responsibilities or the aftermath of a cyber attack for themselves, or their customers.
What’s the Worst That Could Happen?
Most people assume a breach will happen to someone else. Or, if it does happen, your cyber insurance will kick in and handle the clean up. You can cut your losses and move on. The fact is, fallout from a breach is more expensive and more painful than you realize.
Imagine for a moment that it wasn’t Ubiquiti, but your company that announced a breach. What would it be like to land on national and international news sites? How would your customers respond?
Once this kind of thing gets out onto the internet, it proliferates like crazy. News sources pick it up. Social media spreads the news like a virus. It only takes a couple days for the whole world to know that you’ve been breached. And it will always be out there for everyone to discover.
Consider how hard your sales team works to land a client. How much harder would it be if, every time a prospect looked up information about your company, one of the top search results was about your latest data breach? It can be very difficult to win new sales when you have to explain how this happened.
When your customers entrust their information to you, they trust that you’re dotting your Is and crossing your Ts to keep their information safe. There’s nothing that erodes that trust quicker than a breach notification.
If your organization deals with any kind of customer data — whether its names and addresses, medical information, credit card data, or intellectual property — you have an obligation to protect the people who are entrusting their data to you.
Many executives are reluctant to invest in security and compliance, because a full-scale security program isn’t cheap. But the costs of a breach are much higher. Every year, businesses of all sizes go from healthy to non-viable in a matter of months due to a single attack.
Ponemon Institute did an in-depth study of average-size organizations and found that a data breach costs a U.S. company around $255 per sensitive record. Even small businesses typically have thousands of sensitive records, so you’re looking at a hit of millions of dollars for a single event. The average cost of a cyberattack is $3.86 million, and that cost is increasing every year.
Counting on cyber liability insurance to cover those costs? Agencies won’t cover you if you can’t prove that you’ve done your due diligence. Most of the time, gaining that insurance comes along with a written confirmation of what you’re doing for security. It may be wise to find out how your company filled out that information when you signed up.
Related: Your Cyber Liability Insurance May Not Be Protecting You
A data breach doesn’t just hurt your organization. It creates a crisis situation for your customers, too.
Suddenly your customers are caught in the crossfire, and now they have a giant mess to deal with because your organization hadn’t prioritized security. Chances are, their data was compromised months ago, which means damage has already been done.
When your customers’ data is exposed on your server, it isn’t just their data that’s at risk. It’s all of their customers’ data as well. Which means it’s their reputations and their viability that are on the line. Through no fault of their own, your customers now have to explain to their clients why their data is at risk.
Good digital citizenship means recognizing that your approach to cyber security affects thousands — possibly millions — of people as well.
Data Protection Is Possible
The upside to all this is that you can protect your company from cyber attacks, and it doesn’t have to interfere with the growth of your business. In fact, smart organizations know how to turn their security into a sales opportunity.
You can put your company in a position to avoid data breaches. You can have confidence that you’re protected. But many organizations simply don’t have an adequate level of insight into their security and compliance management programs, and that’s where a lot of problems come into play.
Do your due diligence. Take a look at your security program, make sure it’s all buttoned up. Make sure you have good, qualified resources to run and manage the program. And make sure you know the state of your program. Don’t simply rely on the word of your IT department. The fact is, very few IT professionals truly understand data security — nor should they be expected to. It’s a whole other world, and it requires a security and compliance professional to manage.
A sound security program involves knowing who needs to do what, and when. It can be overwhelming at first, but there are terrific consultants who can get you up and running with a security program that makes sense for your organization. If you need some recommendations, TCT is happy to provide them.
If you say you take your customers’ security seriously, you’d better walk the walk. Are you certain that your company is actively maintaining a strong security posture? If not, TCT can help you figure out what you need and how to take the first step. At the very least, share this article with your management team.
A breach can happen anytime — start a conversation with us today.