The true cost of a cyber-attack on your business

We all know that experiencing a data breach or cyber-attack has financial consequences. Merck and Maersk’s collective losses of over £500 million as a result of last year’s global WannaCry attack were enough to strike fear into the hearts of all businesses.

These losses were attributed to downtime and subsequent lost sales, but it’s always been difficult to quantify the cost of the reputational damage associated with a breach. Until now.

A survey conducted by Ping Identity has revealed that over three-quarters (78%) of consumers would stop engaging with a brand online if it had experienced a data breach. A further 36% would stop engaging entirely.

The way customers interact with brands and their willingness to share personal information has shifted radically in the light of increasing cyber-attacks, wilful misuse of data a la Facebook and legislative requirements like GDPR. People are more guarded about what information they share and with whom.

This shift is represented in the 49% of respondents who said they would refuse to sign up to a service or app that had experienced a data breach. Think about it: why would a customer willingly give you highly sensitive information if it looked like you couldn’t adequately protect that data?

Even if customers don’t need to provide financial information, the risks go beyond identifiability. Breaches are so commonplace in the digital-first world that hackers could easily identify if the email address and, if breached, account-protecting information like passwords or security answers had been included as part of another breach.

Take for example the Yahoo breach. All three billion (BILLION!) accounts were affected as part of this data theft. That means hackers had access to the data of every single Yahoo user’s account, including security question information and enough personal data to successfully carry out identity fraud (those who had been a victim of the latter are now entitled to compensation). If your company is hacked and someone is signed up using a Yahoo account, a hacker could gain access to their account based on the information exposed in the Yahoo breach.

It’s reassuring, at least, that close to half of those surveyed had made changes to the way they secure their personal data, and 54% are more concerned with protecting their personal data than they were a year ago. Survey after survey reveals how poor personal cyber security habits are overall; less than 10% of Gmail users have enabled 2-factor authentication on their accounts, and over half of the ‘digital natives’ generation re-uses passwords. It’s encouraging that individuals are becoming more aware of the need to secure their personal data and accounts.

A degree of responsibility must lie with the data subject, but ultimately, it’s your legal duty to ensure you protect all Personally Identifiable Information (PII) that you hold. Not only will you be punished financially under GDPR for failing to adequately protect sensitive data, you’ll definitely lose out on further income as current and prospective customers stop engaging with you. Many businesses think a synchronised approach to cyber security is expensive and unnecessary, but choosing not to adopt one will definitively affect your finances more.

Another concern businesses have is balancing security with user experience. With a smooth mobile experience and the ability to contact most businesses at the click of a button, a straightforward and personable UX is now expected, not gratefully received. And while it’s true that a particularly poor user experience online will deter some customers, it’s less important than the ability to robustly protect a user’s data; 59% of the survey respondents rated a business’ ability to protect their data more important than the cost of a service or the user experience.

We shouldn’t be surprised at the results of this survey, but it should be a wake-up call to businesses that don’t prioritise security and the protection of customers’ sensitive information. Under GDPR, the Information Commissioner’s Office (ICO) will have the power to punish you, with the most severe fines awarded to businesses that are wilfully negligent or who cover up a breach. Now, we know that a significant percentage of consumers would stop engaging with your brand and refuse to sign up to your services. And that’s the last thing that any business needs.