Companies have a gap in perception of data breach costs: survey

While organizations  that have experienced data breaches report some serious consequences, including damaged reputations, there is a gap in perception about the true costs of a breach, according to a recent U.S. survey.

Sixty percent of businesses included in the State of SMB Cyber Security Readiness survey, conducted by the Ponemon Institute, reported experiencing a data breach within the last year. The survey, sponsored by tech firm Faronics, included 803 individuals from businesses with between 50 and 3,000 employees across various industries in the United States. 

Those that had experienced breaches reported time and productivity losses, as well as serious reputational damage from which it took more than a year to recover.

While some did report no negative impact, loss of customer loyalty and legal costs were also consequences of the breach, the survey suggests. To a lesser extent, lawsuits and regulatory fines were also costs.

But among those that hadn’t had a breach, the perception of consequences was different. While a third of organizations had to lay off employees following a breach, only 5% of those that hadn’t experienced a breach said they considered downsizing to be likely following an incident.

That gap represents a need for more organizations to take their cyber security more seriously, the study suggests. Having formal processes in place for assessing security is critical, it notes.

“Although organizations have become more aware of potential threats, they do not seem to accurately perceive the repercussions associated with data breaches,” Dmitry Shesterin, vice president of product management at Faronics noted.

“Findings indicate that organizations do not understand the full costs and damages they will suffer as a result of a data breach. These organizations need to become more proactive about their security programs in order to minimize the damage they will inevitably experience from one, if not more, data breach.”

The majority of respondents cited informal observations from staff as the main step in identifying security risks, although risk assessments are also used. Internal or external audits were the least common method, according to the survey.

Most organizations cited compliance with regulations and laws and internal policies as their main cyber security priorities, with few seeking to become industry leaders in the area. Working within a fixed budget and maintaining compliance with minimum cost were also key for respondents.