Protecting Your Bottom Line From Data Breaches

How to protect your bottom line from data breaches

Businesses need a multifaceted approach to protect their reputation, operations and finances from cyberattacks. Consider the following steps and best practices.

1. Gain a thorough understanding of data breaches and cyberattacks.

Knowledge is power, especially when it comes to data breaches. You must understand current threats and motivations to truly defend against them. 

So, what exactly is a data breach? Matt Caulfield, VP of Identity and Duo at Cisco Security, defines a data breach as an incident where cyberattackers gain unauthorized access to a company’s digital ecosystem. “From here, they can perform a variety of actions,” Caulfield explained. “They may attempt to access and steal confidential, sensitive or protected information. Or, in a ransomware attack, they might try to disrupt company operations and demand a ‘ransom’ to turn them back on.”

Lisa Campbell, VP of SMB at CrowdStrike, says data breaches are the digital equivalent of breaking and entering. “In simple terms, data breaches are like someone breaking into a filing cabinet full of private documents and taking information that they shouldn’t have access to,” Campbell described. “Within that hypothetical filing cabinet, attackers are looking for sensitive or confidential information, like customer data, financial records or passwords.” 

Data breaches can occur because of persistent hackers, system misconfigurations and other issues that expose sensitive data. Compromised data can lead to identity theft, financial losses and other devastating consequences. 

2. Know and prioritize your business’s data.

Before investing in an appropriate tech stack, it’s crucial to understand your data assets. Your business likely holds vast amounts of data, and some information will be more valuable and sensitive than other data types. You must know what you’re protecting and its level of sensitivity.

Identify the data that needs the most protection — the data others can easily exploit for financial gain. For example, if you’re a retailer, your customer database likely contains contact and payment details. If you run an e-commerce store, online payment security will be vital. If payment and contact data is breached, your customers may become victims of credit card fraud and phishing scams.

Your industry may put some data more at risk. For example, if you run a legal firm, you should understand that hackers-for-hire may be out to steal your client’s trade secrets and business information. If you’re in healthcare, be wary because bad actors pay substantial sums for confidential but valuable patient data.

Focus on securing the data whose loss or theft would be most catastrophic for your business.

3. Create a detailed data security plan.

Your data security plan will include hardware, software and strategies. A knowledgeable IT team or outsourced IT partner with experience in network security and database management should guide this plan. Focus on the following areas:

1. Protect points of connectivity with strong passwords and encryption.

Every device that connects to the internet must be secure, including desktops, laptops, mobile devices, printers, security cameras and access control systems. Each allows a way for a hacker to infiltrate the network and steal data. Device security requires both strong passwords and encryption.

• Passwords: Strong passwords help protect valuable data. “Require employees to use strong, unique passwords and enforce regular updates with a corporate password manager,” Campbell advised. “And implement multi-factor authentication (MFA) across all accounts.” 
• Encryption: You should also encrypt all data coming to and from your network. “Encrypt confidential information, such as passwords or addresses, to safeguard it from unauthorized access and maintain regular backups to minimize data loss,” Campbell recommended. Even if a hacker intercepts it, they won’t be able to decrypt it without the correct key. Cloud data encryption is particularly important. According to IBM’s 2024 Cost of a Data Breach report, 40 percent of data breaches involve data stored across multiple environments. However, cloud breaches incurred the highest average cost — $5.17 million.

2. Install antivirus software and a firewall.

Software solutions are essential to protecting your business from a data breach. 

• Antivirus software: Viruses and malware pose significant threats. For example, hackers can use spyware to discover usernames, passwords, email addresses and other login details. Ransomware, another type of malware, can infiltrate your system. Hackers use ransomware to threaten deleting your data or permanently block access unless a ransom is paid. Antivirus software — sometimes called antimalware software — prevents, detects, and removes rogue software on your system. It also quarantines new software or downloaded files to ensure they’re safe.
• Firewalls: Firewalls offer proven protection and are a recommended addition to antivirus software. They act as a barrier between your IT network and the internet, learning over time what types of incoming or outgoing traffic are typical. If the firewall detects traffic from a suspicious source, it blocks it until you confirm that the source can be trusted.

As attacks become more complex, organizations should also consider using more advanced defensive tools, such as AI-based solutions. Campbell recommended deploying solutions that leverage AI to stop ransomware and data breaches in real time.

3. Restrict access to your organization’s most valuable data.

More people than you might realize can likely access your company’s network. For example, a survey from security company IS Decisions found 36 percent of former employees still have network access, and 49 percent of current employees have shared their login credentials. Whether well-meaning or ill-intentioned, it doesn’t pay to allow such loosely regulated access to your company’s systems. 

Instead, carefully control user access, allowing employees to work only with the data and systems essential to their roles. Caulfield emphasizes that tightening permissions is a major deterrent against data breaches. “Limit access to sensitive data to only those employees who need it to perform their jobs,” Caulfield cautioned. “Implement role-based access controls and regularly review permissions.”

4. Maintain an inventory of permitted devices.

While allowing employees to bring their own devices to work was once popular, most experts now consider it a significant cyber risk.

Instead, consider maintaining a central list of company-owned registered devices with network access permissions. If an employee leaves, you can quickly remove their device’s access permissions until it’s reassigned. This approach also automatically blocks unrecognized devices, even if they have the correct password.

5. Keep software and apps updated.

Software updates are essential for data breach protection. Vendors often release updates after learning about security issues. The longer you wait to update, the more time potential attackers have to exploit those vulnerabilities.

“Regularly update all software, including operating systems, applications and security tools,” Caulfield advised. “Updates often include patches for security vulnerabilities that cybercriminals could exploit.”

You should also stop using software and apps that no longer receive vendor support. Make sure your team members can’t download unauthorized software onto your network or cloud server.

6. Protect your website.

Websites are often integral to business operations, especially for e-commerce companies. A poorly protected website offers an enticing attack vector for cybercriminals targeting company data.

To protect your business’s sensitive information from website-based intrusions, consider penetration test tools, such as Intruder and Detectify. These solutions can check your website and discover any current vulnerabilities. You should also ensure your TLS and SSL certificates are current and correctly registered. 

7. Ban removable media from the workplace.

Removable media like CD-ROMs, memory sticks, and USB flash drives are less common than in the past, but some businesses still allow them. Most security experts advise against this for two main reasons: removable media is easy to lose, and it can inadvertently transfer viruses or malware from other machines into the company network. To be on the safe side, create a cybersecurity plan that bans these devices.

4. Train your staff on data breach protection best practices.

According to Verizon’s 2024 DDIR, 68 percent of data breaches are attributed to the “human element” — typically honest mistakes by employees. Comprehensive staff training is vital to protecting your business and customer data. 

“The human element of cybersecurity is often the weak link,” Campbell agreed. “Through phishing and social engineering attacks, cybercriminals are adept at compromising identities. They then leverage stolen credentials such as user logins to access systems as legitimate users.”

To help counteract the human risk, include the following elements in your employee training: 

• Create a social media policy. Cybercriminals often troll social media accounts for information to use in phishing attacks, aiming to dupe employees into revealing usernames and passwords or taking a course of action. Experts advise creating a social media policy that restricts the types of company information employees can share online, especially details related to internal processes, technology, and client relationships. Encourage employees to be mindful of what they post and to avoid sharing sensitive work details that attackers could exploit.
• Train employees to spot phishing attacks. Even the most conscientious employee can be duped by cybercriminals. Caulfield recommends conducting regular training sessions to educate employees on recognizing and responding to phishing and social engineering attacks. Employees should be encouraged to verify unusual or suspicious requests and regularly communicate with the IT team.
• Teach remote employees to use VPNs. Hackers often set up dummy hot spots using a venue’s name to trick people into logging on. They can then intercept the data traffic in both directions from users logged onto their spoof network. To mitigate against this risk, train your remote employees on using virtual private network services to encrypt their data traffic. Consider also requiring staff to use cellular data networks when working remotely to further enhance security.

How data loss costs companies

Cybercrime costs can be steep. Caulfield emphasized that immediate costs may include legal fees, compensation owed to customers, and the loss of revenue from organizational disruption. “In the longer term, a damaged reputation and lost trust with customers can impact future revenue and growth prospects,” Caulfield warned.

Consider the following ways a data breach can hurt your bottom line: 

• A data breach scares customers away. Current and potential customers will likely avoid doing business with a company that fell victim to a data breach. According to Vercara, 75 percent of customers would end their relationship with a company in the event of a data breach or security incident. Additionally, according to an IAPP consumer trust report, nearly 68 percent of consumers are concerned about their privacy. Also, the report found half of consumers would consider not doing business with an organization that lacks clear privacy strategies in place.
• A data breach can ruin your business’s reputation. A business with a reputation for mishandling customer data won’t survive. “Data breaches can include financial losses and severe reputational damage,” Campbell cautioned. “In a recent survey of our small business customers, a third said they’d ‘likely’ or ‘definitely’ go out of business if they were subject to a breach.”
• A data breach may incur devastating financial obligations. Your business may be liable for significant damages after a data breach. Consider the following costs:
  • Recovery costs: According to the IBM report cited earlier, SMBs can expect to pay between $120,000 and $1.24 million to respond to and recover from a data breach.
  • Regulator fines: Each state has its own data breach laws, and fines can reach hundreds of thousands of dollars. Financial companies may also face penalties under the Gramm-Leach-Bliley Act, while healthcare providers may be penalized under HIPAA.
  • Class-action lawsuits: Significant breaches may prompt class-action lawsuits against a company. Even if the business wins, the cost of defending these charges may run into millions.
• A data breach disrupts business operations. Data breaches can temporarily — or permanently — shut down a business. During the response and recovery phase, the business may be unable to sell or provide services to customers, leading to lost revenue. This disruption may also result in an increase in negative online reviews, affecting the business’s reputation and ability to attract new clients.

Advice for recovering from a data breach

Data breaches can be challenging for businesses of any size, but they can be especially devastating for small businesses. Investing in security and focusing on prevention are always the best ways to deal with cybersecurity risks. However, mistakes do happen. 

If your business suffers a data breach, knowing how to respond in the hours after the attack is discovered is crucial. Depending on your organization and capabilities, Campbell advises bringing in an incident response partner to investigate the breach and determine a plan. 

“The first step is to contain the breach by isolating affected systems to prevent further unauthorized access,” Campbell explained. “To do this, you’ll need to assess the extent of the breach and determine if data has been taken or compromised. You’ll want to document all actions taken and ensure compliance with legal reporting obligations, and after mitigating the situation, review policies, retrain staff, and enhance security measures to prevent future incidents.”

Jeremy Bender contributed to this article.