A new report by the cyber-security firm Kaspersky has highlighted the direct relationship between the disclosure about data breach and financial losses suffered by the organisations. The report said that the small and medium businesses (SMBs) who decide to voluntarily inform about a data breach, on average, are likely to lose 40 per cent less financial damage than their peers that saw the incident leaked to the media. For SBMs who disclosed their breach to the public within due time reported an estimated loss of $93,000, while those who did not disclose themselves suffered $155,000 when the incident was leaked in the media.
The failure to suitably inform the public about a data breach in a timely manner can make the financial and reputation consequences of a data breach more severe, concluded the report. The same tendency has also been found to be the case in enterprises. The firms who voluntarily disclosed about the data breach in public incurred a loss of $1.134 Million, while where the information was leaked the firms suffered a loss of $1.583 Million, a 28 per cent more than the former. "Proactive disclosure can help turn things around in a company's favour – and it goes beyond just the financial impact. If customers know what happened firsthand, they are likely to maintain their trust in the brand," said Yana Shevchenko, Senior Product Marketing Manager at Kaspersky.
One of the real life examples is of Yahoo! The firm was fined and criticised for not notifying their investors about the data breach it experienced. Uber was also fine for covering up an incident of data breach. The firm surveyed more than 5,200 IT and cyber-security practitioners globally. The survey showed that organisations that take ownership of the situation usually mitigate the damage. Around 46 per cent of businesses disclosed a breach proactively. However 30 per cent of organisations that had experienced a data breach preferred not to disclose it. Almost 24 per cent of firms tried to hide the incident initially, but it was leaked to media eventually.
"Although minimal losses were reported by businesses that managed not to disclose the incident, this approach is far from ideal. Such companies are at risk of losing even more if -- or more likely when a cyber-security incident is revealed to the public against their intentions," said the report. It added that the risks are especially high for those companies that couldn't immediately detect an attack. Nearly 29 per cent of SMBs that took more than a week to identify that they had been breached found the news in the press, which is double those that detected it almost immediately.