Far too many practice managers, partners and directors grossly underestimate all the costs and damage of a data breach, which is one of the reasons they don’t put adequate protections in place. When weighing the costs of protection, make sure you consider the following 5 losses.
1. Reputational Damages: What’s worse than a data breach? Trying to cover it up. Firms like Mossack Fonseca are learning that lesson the hard way, facing multiple class-action lawsuits for NOT telling their users immediately when they discovered they were hacked. With Dark Web monitoring and forensics tools, WHERE data gets breached is easily traced back to the firm and website, so you cannot hide it.
When it happens, do you think your clients will rally around you? Have sympathy? News like this travels fast on social media. They will demand answers: HAVE YOU BEEN RESPONSIBLE in putting in place the protections outlined in this report, or will you have to tell your clients, “Sorry, we got hacked because we didn’t think it would happen to us,” or “We didn’t want to spend the money.” Is that going to be sufficient to pacify them?
2. Government Fines, Legal Fees, Lawsuits: Breach notification statutes remain one of the most active areas of the law. Right now, several senators are lobbying for “massive and mandatory” fines and more aggressive legislation pertaining to data breaches and data privacy. The courts are NOT in your favour if you expose client data to cybercriminals.
Don’t think for a minute that this only applies to big corporations: ANY practice that collects customer information also has important obligations to its clients to tell them if they experience a breach. In fact, if your practice turns over more the $3 million in revenue a year and you don’t notify people that you encountered a breach you may be liable up to $2 100 000 in fines from the Office of the Australian Privacy Commissioner. If you deal with tax file numbers the above applies no matter what your annual revenue.
With all the new laws being passed, there is a very good chance you are NOT compliant – what HAS your IT company told you about this?
3. Cost, After Cost, After Cost: ONE breach, one ransomware attack, one rogue employee can create HOURS of extra work for staff who are already maxed out when things are going well. Then there’s practice interruption and downtime, backlogged work delivery for your current clients. Loss of sales. Forensics costs to determine what kind of hack attack occurred, what part of the network is/was affected and what data was compromised. Emergency IT restoration costs for getting you back up, if that’s even possible. In some cases, you’ll be forced to pay the ransom and maybe – just maybe – they’ll give you your data back. Then there are legal fees and the cost of legal counsel to help you respond to your clients and the media. Cash flow will be significantly disrupted, budgets blown up. Some states require companies to provide one year of credit-monitoring services to consumers affected by a data breach and more are following suit.
According to the Cost of Data Breach Study conducted by Ponemon Institute, the average cost of a data breach is $225 per record compromised, after factoring in IT recovery costs, lost revenue, downtime, fines, legal fees, etc. How many client records do you have? Employees? Multiply that by $225 and you’ll start to get a sense of the costs to your firm.
4. Bank Fraud: If your bank account is accessed and funds stolen, the bank is NOT responsible for replacing those funds. Take the true story of Verne Harnish, CEO of Gazelles, Inc., a very successful and well-known consulting firm, and author of the best-selling book The Rockefeller Habits.
Harnish had $400,000 taken from his bank account when hackers were able to access his PC and intercept e-mails between him and his assistant. The hackers, who are believed to be based in China, sent an e-mail to his assistant asking her to wire funds to 3 different locations. It didn’t seem strange to the assistant because Harnish was then involved with funding several real estate and investment ventures. The assistant responded in the affirmative, and the hackers, posing as Harnish, assured her that it was to be done. The hackers also deleted his daily bank alerts, which he didn’t notice because he was busy running the firm, traveling and meeting with clients. That money was never recovered and the bank is not responsible.
Everyone wants to believe “Not MY assistant, not MY employees, not MY firm” – but do you honestly believe that your staff is incapable of making a single mistake? A poor judgment? Nobody believes they will be in a car wreck when they leave the house every day, but you still put the seat belt on. You don’t expect a life-threatening crash, but that’s not a reason to not buckle up. What if?
Claiming ignorance is not a viable defence, nor is pointing to your outsourced IT firm to blame them. YOU will be responsible and YOUR firm will bear the brunt.
5. Using YOU As The Means To Infect Your Clients: Some hackers don’t lock your data for ransom or steal money. Often they use your server, website or profile to spread viruses and/or compromise other PCs. If they hack your website, they can use it to relay spam, run malware, build SEO pages or promote their religious or political ideals. (Side note: This is why you also need advanced endpoint security, spam filtering, web gateway security, SIEM and the other items detailed in this report, but more on those in a minute.) Are you okay with that happening?
Did your IT company talk to you about any of this? Are you worried they might NOT be delivering the protection you need and want? Then allow us to perform a FREE Security Risk Assessment for your organisation.
Just like a cancer screening, a good assessment can catch problems while they’re small, which means they will be a LOT less expensive to fix, less disruptive to your organisation AND give you a better chance of surviving a cyber-attack. To secure yours, go to https://www.myinfotechpartner.com.au/ps-cyber-risk/