Not if, but when
Breaches are a fact of life in today’s cyber-attack happy world. In 2018, according to the Identity Theft Resource Center (ITRC) , there were over 1,240 data breaches reported. These breaches accounted for an astounding 446 million consumer records containing personally identifiable information (PII), well over 100% more than in the prior year. If you count data like email addresses, user names, and passwords, the number of records compromised climbs to over 166 billion.
Businesses like Marriott, Target, FaceBook, Cathay Pacific, Quora, and others were all breached in one way or another, leading to significant reputation damage as well as disruptions to their users and their businesses. Just focusing on business impact, not legal fees and settlements, the average insured loss from a cyber incident is now just over $2.3 million according to Allianz Global Corporate & Specialty (AGCS)AGCS, with the understanding that losses from major cyber events can be in the hundreds of millions or higher. You would not be alone in worrying about cyber incidents, as they rank as the business interruption trigger most feared by businesses, according to Allianz Risk Barometer survey respondents.
Businesses of all sizes are being targeted, especially smaller and mid-sized firms who believe they may be below the hackers’ radar, and whose data security practices may be less well-resourced than at large organizations.
Why Data Breach Response Planning Matters
While information security technology is critical to every business, an equal or more important solution is response and recovery as a key component in managing a data breach event. Most CEOs and CIOs do not get fired because their companies are hacked or experience a data breach event, they (e.g. the CEOs and CIOs of Target and Equifax) were fired because of their company’s failed management response to a data breach event / hack. The threat landscape changes so quickly security policies and procedures are not keeping up.
Having a formal response and recovery plan is critical to demonstrating defensible practices and is shown to help minimize risk and lessen financial impact and damages caused by an information security incident.