In today's digital world, data is one of your organization’s most valuable assets, and keeping it secure is essential to protecting proprietary information, employees and customer trust.
According to a recent study by IBM, the U.S. holds the unfortunate position of first-place for highest data breach costs. The average data breach costs organizations $9.44 million in the U.S., compared to $4.35 million globally. Data breaches can happen quickly and without warning, so CFOs must safeguard against these threats and respond effectively when an incident occurs.
Data breaches can have profound financial implications for a business. From a monetary standpoint, those costs include:
- Forensic investigation to determine the cause of a data breach
- Paying a ransom (in response to a ransomware attack)
- Notifying affected customers and providing support
- Marketing and public relations campaigns
- Legal fees related to litigation and settlements
- Fines brought by government agencies
- Lost revenue due to customer churn
- Technology upgrades to prevent future breaches
Companies may also experience reputational damage and, for public companies, a drop in stock price if their mishandling of customer data is exposed.
How to Prevent an Attack
Business leaders must budget for and invest in robust security measures to protect their organization from potential data breaches.
Importantly, businesses should have an incident response plan in place, and that plan should be well tested in order to ensure preparedness when a security incident occurs. An expert can help organizations perform “incident response tabletop exercises” – essentially a simulation of an actual crisis – to help IT and leadership teams respond more readily effectively to potential incidents.
Another important measure is developing a “ransomware playbook” that helps inform team decision-making in the case of a ransomware attack. This playbook can equip leadership with answers to central questions they may deal with in the course of a breach, such as: Should leadership pay a ransom if one is demanded? What should leadership communicate to employees, partners and customers – and at what stage should these communications occur?
By preparing these key processes in advance of an attack in concert with a trusted advisor, a company will be best positioned to deal with the consequences of a breach, and avoid having to make time-sensitive, high-stakes decisions without proper guidance.
Here are some additional practical strategies to implement.
- Firewalls and Encryption. Firewalls are essential in defending an organization's data from malicious actors. They act like a wall between the internal network and the external environment by blocking connections from unauthorized users. Similarly, encryption helps protect data in transit by making it illegible to anyone who intercepts it.
- Access Control. Require individual user accounts for each employee. Use strong passwords and multifactor authentication (MFA) to add an extra layer of security.
- Train Employees. Ensure your staff is aware of the potential risks associated with data breaches. Conduct regular cybersecurity awareness training so employees know how to spot suspicious activity.
- Stay On Top of System and Software Updates. Updates fix bugs and help patch security flaws and vulnerabilities, so use a patch system to install all updates automatically.
- Assess and Monitor Your Vendors. Ensure third party vendors’ internal controls align with your organization by requesting a SOC report from all critical vendors.
What to Do If a Data Breach Occurs
Finally, every organization should have an incident response plan to ensure it is prepared for a breach. This plan should include steps for responding quickly and effectively and communicating with stakeholders.
If a data breach is suspected or confirmed, the first step is immediately taking all affected systems and equipment offline to prevent further data loss. Next, immediately notify your legal team and any relevant authorities, such as your local police or the FBI.
In addition, it is crucial to assess the scope of the breach and determine which customer data has been compromised. All U.S. states and territories have enacted legislation requiring companies to notify individuals of security breaches involving their personally identifiable information. Your legal counsel can help ensure you take the proper steps to notify affected customers. You should also contact your insurance provider to determine if your policy covers any costs associated with the incident.
Finally, you should take steps to identify what caused the breach and ensure that similar incidents do not occur in the future. This may involve updating security infrastructure, retraining staff or revising internal policies. Cybersecurity is constantly evolving, with malicious actors finding new ways to breach data systems daily. As such, it is essential for CFOs to regularly review and update their security measures to ensure that their organization remains protected from potential threats.
Data breaches can have a devastating financial and reputational impact on businesses. Proper defenses can help protect organizations from potential threats and minimize any losses resulting from an attack. With the proper precautions, companies can ensure that their data remains secure and their customers remain protected.
Copyright © 2023, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).