It’s almost inevitable that a company will become the victim of a data breach at some point. But there are some steps organizations can take to minimize the harm those incidents cause.
For the first time in seven years, the cost of a data breach declined, according to a study of 49 breaches in 2011 ranging from 4,500 to 98,000 records conducted by Symantec and the Ponemon Institute. The average cost to the company dropped from $7.2 million to $5.5 million, and the cost per record dropped from $214 to $197.
Those costs take into account all the expenses that resulted from the breaches, including the cost of the stolen data, money spent on investigations and communication, lost customers, and mitigation efforts such as providing credit monitoring services to affected victims.
According to researchers, the decline in damages is the result of organizations getting better at preparing for and responding to data breaches. The report found a few specific steps some of the organizations studied took that helped them avoid bigger losses after a cyberattack.
Here’s what your IT department can do now to lower the costs of a data breach in the future:
1. Put someone in charge of security
One of the best ways organizations can improve their ability to prevent and respond to a data breach: appoint someone in IT to be the head of information security. Companies studied that employed a chief information security officer (CISO), or someone with an equivalent title, spent on average 35% less after a data breach compared to those that did not.
Centralizing the management of security, including how the company responds after a breach, is one way to help make sure no parts of the process fall through the cracks and create bigger expenses later.
2. Don’t rush the response
Organizations that responded and notified customers too quickly without a thorough assessment spent more after the breach, according to the study. Organizations that notified victims in 30 or fewer days paid an average of $33 more per record compared to those that waited longer.
Of course, it’s also important that organizations avoid waiting too long for notification — that could increase their liability in court and risk further reputational damage.
What’s the appropriate amount of time? There’s no easy answer. Researchers say companies should wait until they’ve conducted a thorough assessment and get all the facts straight. One important thing to know: who exactly was affected by the breach. Otherwise, companies may make the mistake of assuming all customers were affected when it was really just one specific subset.
Also, organizations must check applicable federal and state laws — some of those may have strict timelines for notification.
3. Protect your reputation
More good news: Fewer customers abandoned businesses that suffered a data breach in 2011 compared to previous years. Lost business costs declined sharply from an average of $4.5 million in 2010 to $3 million in 2011.
Companies can decrease their chances of losing business by giving affected customers all the information they need and offering an easy way to contact the company with questions and concerns. Some companies set up a call center specifically to deal with breach-related calls, either with in-house resources or an external service provider.
Having notification letters planned and partially written ahead of time can also help. That will allow the company to carefully plan the message it sends to data breach victims, which can minimize the risk of losing business.
4. Get outside help
Companies that used an external consultant to help with data breach response spent an average of $41 less per record than those that did not.
The biggest benefit companies get from that outside help may be experience — companies in the study that suffered a breach for the first time spent significantly more in clean-up costs. Using an external consultant is a way to take advantage of experience in dealing with breaches, even if the organization never went through one before.
For more information download the 2011 Cost of a Data Breach Study.