JEDDAH: Enterprises and small and medium-sized businesses (SMBs) were more likely to be able to mitigate the financial damage caused by data breaches if they promptly inform their clients and the public, according to new research from cybersecurity solutions firm Kaspersky.
The company’s latest IT security economics report on how businesses could minimize the cost of a data breach, showed a link between the way a data breach was disclosed and the total financial losses of an organization following a cybersecurity incident.
Organizations that took ownership of the situation could save up to 38 percent of the financial damage, while those that failed to do so risked more severe financial, as well as reputational, consequences.
For instance, web services provider Yahoo! was subject to the largest data breach on record when digital attacks stole personal information from about 3 billion Yahoo! accounts in 2013 and 2014. The company was fined for not notifying clients and investors.
Uber was also fined for allegedly covering up a data breach the ride-share service experienced in late 2016, affecting personal information belonging to more than 57 million customers and drivers.
Instead of reporting the incident, Uber paid the perpetrators $100,000 in exchange for their silence and did not announce the breach until November 2017. This incident resulted in a $148 million fine.
The Kaspersky report said that costs for enterprises that disclosed a breach were estimated at $983,000 in the Middle East, Turkey, and Africa (META) region. In comparison, those that had an incident leaked to the media suffered $1.579 million in damage costs.
The same applied to SMBs operating in the META region. Those that voluntarily informed their audiences about a breach experienced 19 percent less financial damage than those whose incidents were leaked to the press – $105,000, compared to $130,000.
Out of those experiencing a data breach, 53 percent of businesses in the META region proactively disclosed the incident, 26 percent had their leak exposed to the media, and 21 percent of organizations did not disclose it at all.
Although enterprises that managed not to disclose the incident experienced minimal consequences, this approach was considered far from ideal as they were at risk of losing even more if a cybersecurity-related incident was revealed to the public against their intentions.
Moreover, risks were especially high for companies that failed to immediately detect an attack. The report revealed that around 30 percent of SMBs that took over a week to discover a breach saw it exposed in the press, compared to none if the breaches were immediately detected.
Early detection could lower financial losses by 32 percent for enterprises and 17 percent for SMBs. The report surveyed more than 5,200 IT and cybersecurity practitioners across 31 countries in June.