Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: What is the Full Business Impact of a Data Breach?
Quick Take
On this week’s episode of Compliance Unfiltered, the CU guys invite you to pour yourself something strong, and buckle up, for a hard discussion about the full-scale ramifications a data breach has on an organization.
Who gets hit first? Who gets hit hardest? How much time, effort, energy, and money goes into fixing it? How does this effect the relationships with clients after a data breach?
All the gory details and more on this week’s Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the straw that stirs your compliance adult beverage of choice, Mr. Adam Goslin. How the heck are you, sir? I am feeling dismayed that I’m not too fisting it right now. Yes, sir. And you are no stranger to an adult beverage yourself. I appreciate that greatly. And this topic has sent more than one person to find the nearest adult beverage of their choice.
And today, we’re going to talk, Adam, about the full business impact of a data breach. Now, thankfully, not every business has been through a data breach before, but give us an overview of what happens when an organization becomes aware that they have an issue.
Well, most of the time, certainly, it’s not like a predictable thing, right? You know, well, we know that Halloween is going to be on the 31st of October, you know, type of deal. And it’s just not the same when it comes to a data breach. I mean, this could be an idyllic Tuesday morning. This could be, you know, Sunday at, you know, 4 a.m. You just don’t know when it’s going to happen, but in some way, shape, or form, the organization becomes cognizant of the fact that they have a problem, whether it’s through their own internal capabilities, whether it is a client or a partner or a vendor that’s providing an alert, whether it’s the organization they just hit. In many cases, unfortunately, for most organizations, it’s not immediate that they find out that they’ve got a problem. In many cases it’s hundreds of days after the initial breach before the target organizations’ even aware that they’ve got an issue. So, you know, at some point in the game, somebody wakes up and becomes cognizant of the fact that they’ve got a problem. And I’ll tell you what, it has a very immediate and anxiety-ridden effect on the organization. There’s scurrying happening within the organization, all hell’s breaking loose. If the breach was, you know, kind of announced publicly, and that’s the way you found out about it, then that’s even worse because now you’re getting hit from outside resources simultaneously. It’s not a fun experience. I have not, thankfully, I’ve never been in a position where the organization that I was in charge of had the issue, but you know, I have been called in on several cases where organizations had, you know, had basically gotten nailed and needed help. And boy, watching that firsthand, it’s definitely not a fun experience, and it’s a lot of stress, you know, that happens when that hits the fan. And, you know, really, it detracts from everything you’re doing. Whatever you had planned that day, you can throw that out the window. It’s, yeah, it’ll change things, shall we say.
No doubt. Now, where is the impact felt initially inside the company? Well, you know, most certainly the IT group, the IT arena, you know, is the one that gets hit. Kind of right out of the gate, everyone’s coming at them, to them, asking questions, asking status, etc. You know, it’s super, super stressful. A lot of it depends too on, you know how the target organization is orchestrated. So do they have their own internal IT? Do they have an outsourced IT vendor? You know, are there various other vendors that may be involved in their IT landscape, hosting companies, you know, development companies, things along those lines. So from IT, it then it starts to spread, you know, as appropriate to various other departments, depending on what’s going on. You know, the one thing that most of these organizations feel when they find that they’ve got a problem, is the stark realization that wow, we were not ready for this.
They might have thought that they were ready for it, but no, there is little that can prepare you for that reality. But as things, as alerts are going up the chain, as clients, customers, vendors are all getting in the know. If the media gets a hold of it, etc, now you’ve got stuff coming from all directions. You very quickly need to move from we have a problem, to what happened, investigation and diagnostics, AKA digital forensics, to try to figure out what exactly had occurred, what was the extent of what happened, et. You’re, having interactions with the C level especially when they really start to feel it as things start to heat up. You’re dragging in you’re legal to get involved, etc. As you start to get into it, there’s just a lot of different organizations, and certainly for the organization that gets into this area where they are, they’ve been hit with some form of a data breach, now you’re coordinating with various vendors to try to figure everything out and whatnot. It’s pretty huge
No doubt, now what are the ripple impacts to the other functions of the business? Well, I mean, certainly, it starts out with IT, out of IT and management, etc, but it starts to wave over these various functions of the organization. So, legal is gonna need to get involved, usually their involvement is more understanding what had occurred, understanding the landscape of the existing business, understanding the clients that are involved, understanding the contracts and agreements that we’ve got with those clients. In many cases, I recommend this to folks in the space, it is astronomically helpful to have your legal group already up to speed and not just up to speed, they know what I do, but even just a quarterly pulse check for current client list, any new agreements that you’ve signed, things along those lines, so that they’ve got the inputs that they’re gonna need if something hits the fan. You’ve got ripple impacts to accounting, all these unplanned expenses popping up. You’ve got a ton of costs that are going to start to go out of the business. In a lot of cases, it depends on how the organization’s doing, but the accounting group needs to start making some pretty tough decisions around, yeah, well what are we going to do here? All these dollars that we have to go spend money on, that we weren’t planning on, etc. It depends on how much you got sitting off to the side for the just in case fund. But in a lot of cases, they’ve got the accounting crew just trying to keep up, get things figured out, allocating all the expenses that are coming in to the appropriate accounts, etc. We talked about the C level. The C level starts to get hit from all sides. Meetings, they’re getting hit in meetings, they’re getting hit on phone calls, text messages, voicemails, press are hitting them up, etc. Keep in mind that for many organizations, the folks that are involved are trying to reach people at that organization, they’ll get outright tenacious with it. You could be working out in the morning and somebody’s talking to you about trying to have a conversation with you about it, etc.
The C level, especially just because our names are usually plastered on the website, plastered all over LinkedIn, etc, they’re usually a pretty prime target for getting hit up on what’s going on, and their world starts to get very busy, shall we say.
Sure. Once you realize you’ve got the issue, the minute that you get your insurance company involved for your cyberlock, liability, you know, they’re stepping into the driver’s seat, they’re starting to kind of take command of what’s going on, what needs done, you know, things along those lines and, you know, in some cases, it depends on the insurance organization. In many cases, though, they’ll mandate specific vendors that they trust, that they’re familiar with, etc., that are going to meet their requirements to bring in for, some of the forensics work and, you know, some of the diagnostics work and things along those lines. So, you know, a lot of people have this vision that, oh, well, you know, I got my buddy Bob who I can, you know, go ahead and use. Man, if the insurance company is going to be footing the bill, then you can bet you’re going to be using somebody that they trust type of a deal. The other downside in the grand scheme of things is that you know you, you figure the insurance company isn’t going to be using you know, we’ll call it the cheapest resources known to mean. You know these are often, high price tag engagements you know, and and you’re often left answering some tough questions, type of a thing. We’ve done some pieces previously just about cyber liability insurance, etc, I know we definitely have a blog on it so for those that haven’t gone in to take a look at that, go and looking up the TCT blog and looking at some of those insurance blogs. Those get those are pretty interesting You know, around just how it works with the insurance company.
For sure. What about this? What about the sales department? You know if you go and ask anybody in sales how eas of a job is it, in general, they’ll tell you that the job of sales is not an easy one. But now imagine that every single person you’re talking to is seeing your company’s name and lights all over Google? It’s a huge impact to the organization, when you’re up against that. When it comes to trying to go land existing sales and things on those lines, the reality is you know that organizations wants to work with companies, that you know that care that they do a good job with their security. And if it goes sideways, then yeah, it’s going to be extremely difficult to start landing people. But the reality is it goes further than that. When the minute that it gets out that we’ve had an issue, there’s an impact to the existing client base. One of the big costs in a cyber event is the loss of those existing clients.
Well, speaking about that, tell us more about what happens with existing clients when something like this goes sideways. Well, needless to say, there is a ton of unplanned turnover. The client depended on your organization to take your security and compliance seriously, there’s obviously some type of a failure, so they’re jumping ship. The attrition rate for an organization that goes through one of these events is astronomically high. It’s a really tough arena for the organization to navigate. Well as the company starts to kind of understand what happened, then what starts to happen, the company’s’ really going to be going through a learning process as they start figuring out. How did this happen? what occurred? you know etc. As their eyeballs are starting to get open to maybe it’s you know holes in their process, holes in their procedure, they thought they were in place, that they didn’t have in place. Skills on their team that they thought that they had, that they don’t. One big thing that I’ve done, I tell organizations fairly regularly you know you’re day by day IT people, they’re great at what they do. You know they’re a great Network Administrator, they’re a great you know Machine Tech, they’re a great Developer, you know type of a thing. It doesn’t make them security people, and that is a light bulb unfortunately that doesn’t go on. There’s a lot of organizations that go under this guiding assumption that well you know this person’s in IT so they must know how to do that job securely, it’s just not the case. For the company that’s going through this they may need to switch out vendors, they may need to add new vendors, they may need to either swap out personnel for ones that have the needed skills that they’ve got, or they’re put in the position of needing to retain their existing personnel, but are forced to add new capabilities to their approach to security and compliance. Whether that’s adding new staff whether it’s you know adding an expense of vendors. It really just a depends on the company, they in their present state against what issues they had that got them into this, particular position in the first place.
For sure. Now, articulate to folks the cost of a data breach in relatable terms. Oh man, you’re making it sound so nice. We got a data breach. It’s a data breach. I’m going to use that one again. Putting a data breach in relatable terms, you know, for a long time, you see all of these various costs of a data breach, right? And they’re coming up with these numbers, which don’t, which in my mind’s eye make it completely unrelatable. It’s going to cost the average company $9.36 million. Well, am I the average company? Am I better than the average company? And it makes it extremely unrelatable. There’s an organization in Northern Michigan that for a long time has done kind of a cost of a data breach study, which personally I like this particular study, the best out of the ones that there are. It’s an organization called Ponemon, P-O-N-E-M-O-N. And some large organization sponsors the security survey each year. And the Ponemon report has just an absolute ton of information in there. One of the coolest parts is that you’ve got a way to be able to kind of relate it. Now, in this particular case, there were, and I forgot what the counts were, I should have looked this up before we got into this conversation, but there were hundreds of real companies that really got breached, where they talked to these real companies that really got breached across something like 17 different industry sectors, and then interviewed them to find out what did you spend money on? And what were the costs that you had to do? And how much did you end up paying? And they tallied up things like aggregated costs for existing client attrition, for all of the various security testing and plugging of holes, etc. And overall, they just put out a report in the middle of 24, and that report, I believe the number was somewhere around like $180 per record on average across these real companies. So 180 bucks a record, it doesn’t sound like a lot until you start looking at your organization. You say, okay, well, how many client records do we have? How many employee records do we have? etc. And you start tallying up all those records and start to realize that you know the 181 sounds like a low number for a record, but it as an example if your organization kind of tallies up all of the various numbers and comes up with 75,000 records, well guess what you’re talking thirteen and a half million dollars. So, it’s like for organizations, I would strongly encourage them to kind of get a handle on how much stuff do we have you know, how much stuff do we have at risk ,use that 180 a record amount and just do the math, because these are costs that you know that the company wasn’t planning on for their current stance against their requirements for their cyber liability. It may or may not be covering them the way that they expect. Now, for these companies, is there a light at the end of the tunnel that’s not an oncoming train? Well, completely openly, it really depends on whether the company survives the process. There are, many organizations that undergo this process, you know, they’re changed. Yeah. They’re changed forever. Number one, and number two, that’s if they make it. There are a lot of organizations that get hit with a data breach and they just, they can’t survive, they find out their cyber liability isn’t gonna cover all the costs they thought that it would because of, you know, the way they filled out their application, and things they said that they had in place that they maybe didn’t. And depending on how the nature of how it occurred, that’s kind of a challenge, but there’s always gonna be, there’s always gonna be ripple impacts to the organization. I mean, you think about it, right? The minute your company goes up and lights on Google, you know, all of your competitors are flocking to your existing client base and hey, we heard that, you know, that your organization had an issue. So, hey, why don’t you come on over to us? We haven’t had a problem like them. You know, it’s sad, it’s like vultures descending on a carcass, you know? It’s bad, man, it’s bad. For a lot of organizations, it is a struggle to make it through.
However, you know, once you’ve gone through, once the organization has gone through this process and the amount of pain that they have to go through. Number one, I guarantee you it will take the organization literally years to recover, you know, from this particular, you know, extravaganza. My motion alerts are in full effect, can you hear me? I can. So, it will take years for them to be able to get back, but, you know, the changes generally for organizations that have to go through this, they’re substantial and they’re important.
And, so it will take them years to get through it, but, yeah, I think in the grand scheme of things, if they survive, they definitely will be, they will be better off for having gone through it.
Excellent. Partying shots and thoughts for the folks this week, Adam. Well, taking security and compliance seriously right out of the gate will ultimately save the organization between hundreds of thousands of dollars, if not millions of dollars, you know. I struggle with the organizations that, you know, just thinks it won’t happen to us, or we’re too small or, you know, blah, blah, blah. Nobody’s avoiding this stuff. Nobody, you know, nobody wants to become a statistic you know. Just think through how much ground you’re going to lose if you even survive, if this happens to you. It’s not worth it, you know. The cost to the organization to just do things properly, you know, and have those additional expenditures, spread out annually, it’s going to be a drop in the bucket compared to the hit you’re going to take if you go through, you know, go through some form of a data breach.
Those folks that are listening that are business owners, leadership at an organization, board members at an organization, you know, you’ve got a responsibility to the people that depend on the company. You’ve got employees, you’ve got vendors, you’ve got all of their families that you’re responsible for, you know, I would just implore, you know, implore folks. Take that responsibility seriously.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
