SMBs Minimize Financial Impact by Disclosing Data Breaches

SMBs that are disclosing data breaches to their stakeholders and the public are less likely to lose as much as those staying quiet.

That’s according to a new Kaspersky report. It’s based on a global survey of more than 5,200 IT and cybersecurity practitioners.

Disclosing data breaches, on average, cost SMBs 40% less than those that saw the incident leaked to the media. Kaspersky found the same tendency in larger enterprises.

Failure to suitably inform the public about a data breach in a timely manner can worsen the financial and reputational consequences. For example, Yahoo was fined and criticized for not notifying its investors about the data breach it experienced. And Uber was fined for covering up an incident.

The High Cost of Silence

Costs for SMBs that disclose a breach are approximately $93,000. Those with an incident leaked to the media, however, suffered $155,000 in damage.

Likewise, the cost for enterprises that disclose a breach are roughly $1.13 million. That compares to nearly $1.6 million if the media catches wind.

Yana Shevchenko is senior product marketing manager at Kaspersky.

Kaspersky’s Yana Shevchenko

“It was quite surprising to see such a clear dependence between the way a data breach was disclosed and financial damage,” she said. “Of course, there is the more common truth that honesty is the best policy. And it was great to prove this with the survey findings. Moreover, it’s nice to see that almost half of [North America] businesses decided to disclose the incident proactively. And the most common reason to do so was internal policies and ethics.”

One in four (25%) companies tried to hide the incident, but saw it leaked to the media, according to the report.

Timely Detection Important

The survey further proved risks are especially high for those companies that couldn’t immediately detect an attack. Some 29% of SMBs that took more than a week to identify a breach found the news in the press. That’s double those that detected it almost immediately. The figures are similar for enterprises.

In the United States and Canada, 39% of those who proactively disclosed a breach reported it almost immediately. Forty-eight percent said it took up to a week. And one-half (50%) said it took more than a week.

“When a company discloses an incident, it should provide information on what exactly happened, how it affects its customers and partners, as well as what they should do and how the problem is being solved,” Shevchenko said. “Generic statement and the lack of details creates a breeding ground for speculation and may result in even bigger reputational loses.”

Improvements for SMBs

The report does show improvements for SMBs when it comes to detecting attacks. The amount of time taken to detect and respond to data breaches has shortened significantly over the past few years.

“It can be more cost-effective for SMBs to outsource IT security, as this way they save on expensive cybersecurity experts and investments in an infrastructure’s defenses against advanced threats,” Shevchenko said. “As we see from the survey, for SMBs, the highest expenses of financial impact belonged to additional internal staff wages. If a company works with a reliable cybersecurity provider, it does not need to attract its employees for after-hour work.”

Also, a managed detection and response (MDR) service instantly increases the protection levels against complex threats through fast turnkey deployment, she said. Outsourced professionals can also help to resolve the incident more effectively if it has already occurred.