A data breach is more than just a security violation―it can be very disastrous for a company. According to the Ponemon Institute’s 2016 Cost of Data Breach Study, “the average consolidated total cost of a data breach grew from USD 3.8 million [in 2015] to USD 4 million [in 2016].” The study added that “the average cost incurred for each lost or stolen record containing sensitive and confidential information increased from USD 154 [in 2015] to USD 158 [in 2016].”
But data breach-associated losses go beyond financial ruin. A data breach can also destroy the reputations of both individuals and organizations. A 2014 survey commissioned by UK-based fraud prevention company Semafone revealed that 86.55 percent of people were “not very likely” or “not at all likely” to do business with a company that lost credit or debit card information to a data breach.
Ironically, however, many companies still do not seem to worry about data breaches. The Ponemon Institute’s Fourth Annual Data Breach Preparedness Study (2016) came up with the following findings:
- Approximately 38 percent of organizations “have no set time period for reviewing and updating their [data breach response] plan.”
- About 29 percent of organizations never reviewed or updated their plan since it was first implemented.
- Only 27 percent of organizations felt confident that they were capable of reducing the financial and reputational effects of a data breach.
- An estimated 31 percent of organizations were not confident in their ability to address an international data breach.
At the core of such complacency are certain myths regarding data security. These myths include the belief that a company is safe from data breaches as long as it does not possess confidential information. This belief is false because it has a very narrow understanding of the concept of “confidential information.” “Confidential information” is not limited to trade secrets and client lists; it likewise includes so-called “useless” information like payroll data. A data breach can easily expose employees’ names, addresses and social security numbers to identity thieves.
A second example of a data security myth is that employees always take the initiative to shred confidential documents. According to document destruction company Shred-it, two-thirds of small and medium enterprises (SMEs) expect their employees to dispose of confidential documents through in-house shredding. But the company also pointed out that only a third of SMEs say that they train their employees in information security procedures.
A third example of a data security myth is that working with the same trustworthy supplier for years means that supplier can be trusted not to leak sensitive company data. Canadian document destruction company Shred All claims that employee negligence accounts for 32 percent of all data security breaches. Even the most trustworthy supplier may be unknowingly doing something that can lead to a data breach. Mistakes like missent emails, lost mobile devices and improperly disposed confidential documents can easily expose sensitive company data.
Businesses that continue to hold on to data security myths do so at their peril. These myths might save them money or give them a false sense of control in the short term. But believing in data security myths will eventually render sensitive company data vulnerable to a breach. And a data breach, in turn, will translate to huge financial losses, tarnished brand image and reduced consumer confidence.
ADEC Innovations is an impact investing company that designs, develops and delivers a diverse data management and technology portfolio of Environmental, Social and Governance (ESG) solutions. We provide targeted solutions that maximize the usefulness of data in order to enable client organizations’ leaders and stakeholders to make informed decisions.
Experian Information Solutions, Inc. (2016). Fourth Annual Data Breach Preparedness Study.
Retrieved December 29, 2016, from http://www.experian.com/data-breach/2016-ponemon-preparedness.html?WT.srch=pr_2016_ponemon_preparedness
Green, J. (2015, January 20). “Counting the cost of complacency: five data protection misconceptions.” Shred-it.
Retrieved December 29, 2016, from https://www.shredit.co.uk/en-gb/blog/securing-your-information/january-2015/counting-the-cost-of-complacency-five-data-protect
IBM. (n.d.). 2016 Ponemon Cost of Data Breach Study.
Retrieved December 23, 2016, from http://www-03.ibm.com/security/data-breach/
Olavsrud, T. (2016, October 28). “Companies complacent about data breach preparedness.” CIO.
Retrieved December 29, 2016, from http://www.cio.com/article/3136651/security/companies-complacent-about-data-breach-preparedness.html
Segall, L. (2015, September 8). “Pastor outed on Ashley Madison commits suicide.” CNN.
Retrieved December 29, 2016, from http://money.cnn.com/2015/09/08/technology/ashley-madison-suicide/
Semafone. (2014, March 27). 86% of customers would shun brands following a data breach.
Retrieved December 29, 2016, from https://semafone.com/86-customers-shun-brands-following-data-breach/
Shred All. (2016, May). Human Error In The Workplace.
Retrieved December 31, 2016, from http://shredall.ca/news/2016/05/human-error-in-the-workplace