The moment an organization is breached, two things are inevitable: it will be spending a staggering amount of money to clean up the mess, and it will be losing a staggering amount of money as customers jump ship.
According to Ponemon Institute, the average cost of a breach for a U.S. company is over $9 million. Most small companies don’t survive a cyberattack, and within six months they’re out of business.
Lost business is a major portion of that cost, and it’s increasing every year. In a report sponsored by IBM, the Ponemon Institute found that the cost of lost business after a data breach rose by 11% from 2023 to 2024. Your customers don’t just take their cybersecurity seriously — they’re taking your cybersecurity seriously, and if you have an issue, they’ll move their business to your competitors.
The bottom line is that your bottom line will get hit very hard if your company is breached.
And it doesn’t take a data breach to lose customers. Noncompliant companies that haven’t been breached are losing sales to the competition, too. Let’s take an honest look at how you’ll lose business if you aren’t investing in security and compliance.
Do Security and Compliance Get in the Way of Business Operations?
Over the years, I have frequently heard a notion from business leaders that they won’t invest in a security/compliance program, because implementing the program will grind their business operations to a halt. They see cybersecurity as a hindrance to productivity, profit, and customer acquisition.
Yes, there certainly are some cybersecurity professionals who get too enthusiastic about the protections they want to put in place. Yes, an excessive level of protections can indeed be fashioned to make it difficult to operate your business in a cost-effective manner. But security and compliance isn’t an all-or-nothing venture.
I’m not recommending that you endeavor at the outset to make your company tighter than the Pentagon. You don’t need to go to that level to provide reasonable protections for your organization. But you do need to take cybersecurity seriously.
If your policy is to do as little for security as humanly possible, it will just be a matter of time before your business gets hit by a ransomware or phishing attack and your sensitive data is exposed. You will be legally required to publicly announce the breach, and your company will immediately lose your best customers as well as future deals for quite some time (if you’re fortunate enough to survive the experience).
Instead, find a middle ground. Implement a level of cybersecurity protection that is responsible but also allows you to operate your company without interruption. It is simply inappropriate to gamble your entire business on the false premise you’ll somehow dodge all of the bullets.
TCT proves compliance doesn't have to suck.
Check out the TCT podcast:
Do Your Customers Really Care About Your Security and Compliance?
You bet your ass they do. Nearly 60% of B2B buyers are more likely to do business with a company that prioritizes data privacy.
Nowadays ,noncompliance can make it difficult for your sales team to win new deals, and it’s only getting harder.
More and more companies are paying attention to the track record of their vendors. They’re asking tougher security-related questions during the sales process.
Want to validate this yourself? Just ask your sales and onboarding teams what percentage of new clients had security and compliance validation as part of their vendor onboarding process, and similarly ask what percentage asked for that level of depth even 3-5 years ago. And as more of your prospects become compliant, you will find yourself locked out of consideration before you can get your foot in the door.
When your customers need to prove their own compliance, part of their responsibility is to have compliant vendors as part of their due diligence. That means as a vendor, you will need to provide paperwork that verifies your company is going up against a security and compliance standard, and more and more that will mean that you’re being externally audited each year.
If your company can’t show that you’re living up to that standard, you’re putting your customers’ compliance in jeopardy. They won’t have a choice but to drop your company as a vendor and do business with your competitors instead.
We’ve Seen It Firsthand
We’ve had many organizations come to us looking for help, because they were losing sales opportunities. They didn’t have a strong cybersecurity and compliance program in place, and their prospects recognized it immediately during the vetting process.
One company told us that if they had landed a particular customer, it would have been a game changer for them. Instead, another company won the deal, because the competition took their security/compliance seriously. I can only surmise how many millions of dollars that company missed out on.
We’ve also seen organizations that had let their compliance lapse, and they lost large contracts with existing clients as a result. Some of them voluntarily let their compliance lapse because they thought there wouldn’t be any consequences. Other companies got lazy, received red marks on their annual compliance assessments, and had to answer some tough questions from their customers. Both sets of organizations lost existing business as a result.
The Fallout of a Data Breach
When you don’t take security and compliance seriously, you’re gambling with your business on a daily basis. Eventually, that breach will come and you’ll land on red.
Your stellar brand reputation can completely evaporate within hours of a breach announcement. No matter how highly you were perceived in the marketplace before a cyberattack, your reputation has just taken an enormous hit.
Customers depend on your organization to keep their sensitive information secure. They do business with you because they trust you. If you get breached, you show that you haven’t deserved that trust — and once trust is broken, it is very difficult to rebuild. You should not expect to get past a data breach in a short period of time. Sales will suffer for years into the future.
According to IBM’s Ponemon report, for 92% of companies, full recovery of a data breach — including some semblance of restoration of customer trust — takes more than 100 days. For a third of companies, it takes 150 days or longer to recover from a data breach. That’s nearly two full quarters of the year.
The cost to deal with reputational damage and lost business dwarfs the cost of proactively protecting your business before an attack occurs. If your organization had invested in the “cost center” of compliance for years, you still would have only spent a mere fraction of the money that a breach will cost.
It’s no wonder that most small companies are forced to shut down within six months of being hacked.
What about your existing customers? There’s a general assumption that your existing client base is safe. Organizations operate under the notion that if there’s a breach, existing customers will stick with you or they’ll come back in a month or so. The stark reality is that if you have a security event, those loyal customers will leave and likely never return.
The bottom line: if your customers take security and compliance seriously (and they do), the last thing they want is to work with someone who doesn’t. Either a breach or even a perceived lapse in your standard of care for your customers’ data will shatter their trust.
Featured eBook
The Rock Solid Business Case for Compliance Management Software
Discover How to Get a “Yes” from CFOs That Love to Say “No”
Can Cyber Insurance Cover Lost Business?
Your cyber liability insurance may cover much of your financial costs after a data breach, but it won’t protect you from other business-killing costs — reputational damage, the loss of public good will, or lost customers.
You take a gamble every day that you choose not to invest in a solid security and compliance program. You’re operating on a hope that today won’t be the day you get hit with a cyber attack. Why even roll the dice, when the chances of surviving a data breach aren’t in your favor?
Doing Your Due Diligence Gives You a Competitive Advantage
Your competitors are investing in security/compliance, and they’re winning customers because of it — not in spite of it. And you can, too.
Your customers care more and more about the security of their vendors, and it is now a core part of their initial and ongoing vetting processes. They’re also becoming more savvy, and they can tell when they’re talking with someone who really takes compliance seriously. The difference is night and day for them. If you’re committed to doing cybersecurity and compliance right, it will be readily apparent to your prospects and existing customers.
Arm your salespeople with the capability to slaughter their competition. Train them up in their understanding of security/compliance and make sure they know exactly how your company is fulfilling their due diligence.
On the other hand, if your organization isn’t investing in security and compliance, you will be sure to lose important deals, no matter how good your salespeople are. And it will happen at an increasing rate.
For those who talk the security talk, it’s amazing just how easy it is to see straight through the thin veil of an organization that’s faking it until they make it in the security space.
3 Recommendations for Business Leaders
If you’re a business leader at your organization, it’s vital that you get a handle on the state of your organization. Find out first hand how your bottom line is being impacted by the state of your compliance (or noncompliance).
I have three recommendations for you to get started.
Attestations of Compliance
Someone in your organization is answering questions from your customers about where you stand from a security and compliance perspective. Typically, these customers will ask for an Attestation of Compliance (AOC) or they’ll have you fill out a security questionnaire.
Sit down with the person who handles these requests and have a discussion about the types of queries that come in:
- How often do they come in?
- What are customers asking, specifically?
- What are they interested in?
- How is your company answering those questions?
- What evidence are you providing to them?
- Are you actually doing what you say you’re doing, or is this person just making assumptions about your compliance stance?
Learn about what’s really going on within your company and start addressing the weak spots.
Cyber Liability Insurance
Next, find out who is filling out the applications for your cyber liability insurance. Insurance companies used to send out a simple one-page form that could easily be completed in a couple minutes. Now, those forms can be 50 pages long, and they’re complex.
Chances are strong that the wrong person is filling out those forms. Often it’s someone in Accounting or Legal, who likely has no real understanding of your compliance posture. Your compliance manager should oversee this activity, because they can ensure the application is completed accurately.
This is critical, because if you submit a claim and you’ve misrepresented your organization’s security stance, your entire policy will likely be invalid. You won’t get a dime if you need to actually need to leverage your policy. Unfortunately, you won’t know about it until it’s too late, after the attack, when you’re looking at several millions of dollars in cleanup costs.
Customer contracts
Finally, review your existing customer agreements. Find out what your clients are legally expecting from your organization in terms of security and compliance. You’ll gain an understanding of your legal responsibilities, what your clients are actually requiring, and whether or not your company is actually protected in accordance with the cyber liability insurance requirements that you’ve got in those legal agreements.
Build Your Competitive Advantage
Will noncompliance cause you to lose out on new sales? You bet your bottom dollar. Security and compliance isn’t merely a cost center, it’s actually a revenue generating tool that gives your sales team a competitive advantage and it’s the single best way to mitigate the probability of having a business changing cyber event.
Need help figuring out your first steps towards investing in security and compliance? TCT can help you get started. Contact us for a free consultation.
TCT proves compliance doesn't have to suck.
Check out the TCT podcast:
