Data breaches: the financial cost of poor planning

Data breaches can have a wide-reaching impact. Not only can a data breach affect your organisation’s ability to fulfil its business objectives for at least a little while, but there is a significant financial cost associated with a breach of data, whether malicious or accidental.

Ponemon Institute’s 2018 Cost of a Data Breach Study considers the financial impact associated with a breach. In addition to response activities such as detection and escalation, data breach response and notification costs, this study considers the ‘lost business cost’ associated with the loss of customers, and acquisition of new customers, reputation losses and diminished goodwill. Healthcare is detailed as the sector with the highest per capita cost of a data breach among the 477 organisations sampled.

Loss of business

One of the study’s key findings is that loss of customer trust has serious financial consequences. The average total cost for organisations that lost less than 1% of their existing customers was $2.8 million.

This reflects recent figures, suggesting that NotPetya, a 2017 ransomware attack that hit organisations across the globe, cost pharmaceutical giant Merck $135 million in lost sales in the first three months after the attack. The total loss in that time is estimated at $300 million.

Pecuniary fines

Under the EU’s GDPR (General Data Protection Regulation), the maximum fine has increased significantly: up to €20 million (about £17.5 million) or 4% of global annual turnover, whichever is higher. Organisations that suffer a breach aren’t instantly fined by their supervisory authority; fines are designed to be dissuasive and will be considered on a case-by-case basis.

More information on your obligations under the GDPR can be found on our website.

Protecting your organisation with an ISMS

ISO 27001, the international standard describing best practice for an ISMS (information security management system), can be used to help protect your organisation from breaches and other incidents. It doesn’t only help you put effective security measures in place to prevent incidents, but also prepare for incidents. That way, should a breach happen, you can respond without delay, mitigating the damage to your organisation, as well as your partners and customers. This will also help you recover business functionality quicker.

Achieving ISO 27001 certification can also help you to meet the requirements of the GDPR – in particular, the accountability principle – and demonstrate your commitment to information security to existing and potential customers.

Training to suit your needs

One of the first steps to achieving ISO 27001 certification is to appoint an employee who understands the Standard and can lead the implementation project. IT Governance’s ISO27001 Certified ISMS Foundation Training Course provides a complete introduction to the elements required to achieve compliance with the Standard. The Foundation course can be followed up with the three-day ISO27001 Certified ISMS Lead Implementer course, which covers all nine key steps involved in planning, implementing and maintaining an ISO 27001-compliant ISMS.

View our ISO 27001 training >>

Speak to a healthcare expert about what course is right for you >>