Being in a more connected environment benefits all of us, from those using social media to stay in touch with far-away relatives, to businesses enjoying the rewards of remote working. But, while connectivity is great and offers many positives, it also creates vulnerabilities.
Companies that handle sensitive data may find themselves the target and victim of cyber- attacks as malicious actors look to harvest that information for their gains. Common threats like malware, ransomware, and Denial of Service (DoS) attacks cost companies money, time, and resources.
The average cost of a corporate data breach has reached $4.35 million in 2022, highlighting the importance of information security compliance. But is cost the only motivating factor for companies to have better data protection? Let’s look at why information security compliance is more important than ever for modern businesses.
Why is data security compliance important?
Apart from the obvious that it ensures the safety of an organization’s data, good security compliance helps protect a company’s reputation and keeps its operations legitimate, which ultimately impacts the organization’s profits.
Business owners want their existing and new customers to feel like they can trust them, but if that business loses control of customer data, that trust is easily destroyed. Companies must ensure they protect sensitive client data to ensure their reputation not only remains intact, but also has the potential to be enhanced.
A report by PwC found that 85% of customers said they will not do business with a company if they are worried about its data practices. While large organizations may be able to handle such reputational damages, small or medium-sized companies could find this obstacle too large to overcome.
Legal troubles from data breaches
The preservation of a company’s reputation is one thing, but people working for and in companies may also be prosecuted for a data breach, so it’s essential for everyone involved that compliance is maintained.
For example, in the first prosecution of its kind, Uber’s ex-security chief Joe Sullivan found himself brought to trial and convicted for failing to report a massive data breach. While the trial centered on Mr. Sullivan’s neglect to carry out an official duty (legally known as “misprision”), rather than the breach itself, it has sent a notable chill through the cybersecurity community. Now more than ever, companies must ensure they establish robust information security measures to ensure compliance with the law. This will not only protect companies and their clients, but also the staff who work there.
The knock-on effects
The actions of a company are interlinked; when it does something good, it can enjoy the benefits, but if it does something bad, deliberately or otherwise, then consequences must also be expected. As such, companies suffering damage to their reputation due to data breaches and legal trials will not only struggle to attract the customers they wish, but also the right staff. The best talent may seek an early exit from a company suffering from a damaged reputation.
While the media and economic market might overplay the facts, there is no doubting the damage that can be done to a company’s reputation following a compliance and data breach. According to a report by AON, “Reputational damage and cyber risk go hand in hand… but companies also suffer reputational brand harm that could impact their stock value and their ongoing ability to keep and attract customers”.
The banking group, Capital One suffered negative stock and reputation repercussions following a data breach involving 100 million customers across the US and Canada. Subsequent financial damage was estimated to exceed US$300 million as the firm fought back to recover customers’ trust and regain its brand reputation in the sector.
With more transparency and a greater propensity to report year-round data breaches and cyber-attacks, the potential damage inflicted on businesses and their reputations can but increase. With online transparency, like the Carnegie timeline cited, additional harm to a business’ reputation and brand (and in this case to financial institutions) is more likely. When trust is gone, it can be hard to win back, and any potential customers doing their due diligence on prospective employers will keep their distance. Failure to project a positive image can hurt companies for years to come.
Meeting industry standards
It’s not unusual for industries to work with sensitive information, whether that be their clients’ financial data, or health records for patients. With the ever-looming threat of data theft hovering over these organizations, industries are beginning to take action to protect the people who use their services.
For example, in June 2022, New York became the US’ first state to require attorneys to complete at least one credit of cybersecurity, privacy, and data protection training as part of their Continuing Legal Education (“CLE”) requirements. The training must relate to attorneys’ ethical obligations regarding data protection, general cybersecurity, and data privacy. Despite the specific industry requirements, it is sensible for companies across all industries to roll out cybersecurity training for staff.
Fending off threats from competitors
Although it might sound like something from a movie, corporate espionage is a real threat that companies face every day. Previously, companies placed most of their value on physical assets, but today, intangible property accounts for more than 80% of the S&P 500 overall value.
Whether the aim of a cybercriminal is to steal intellectual property, or to wreak havoc and sabotage their operations, companies must do what they can to protect themselves from cyber threats. Protecting your intellectual property through compliance can be an overwhelming task if it’s something that has not been part of the business plan.
To start with, companies should list all of their intellectual property assets, from copyrights and trademarks, to domain names, and patents, and continue to do so when new ones are created. That information must be protected, whether it is in physical document form or digital.
How can companies ensure information security compliance?
With businesses and organizations readily embracing technology to modernize their methods and appeal to staff who wish to be able to work remotely, enhancing data privacy will continue to be an area of major need.
Companies may face fines for breaches, but it’s hard to also put a number on the losses they suffer due to reputational damage. Ensuring information security compliance is necessary, and there are some measures companies can put in place to help.
Companies seeking greater information security compliance should:
- Limit access to valuable data to senior management.
- Vet and ensure that third parties comply with your data practices.
- Train and educate staff on the best behavior for maximum security.
- Improve digital hygiene through security audits.
- Seek out and put an end to unauthorized data sharing.
- Create a contingency plan of action in the event of a data breach.
Threats are constantly evolving, and we must ensure that our IT systems and devices are adequate for the job. That means keeping software versions updated when they become available to prevent attackers from getting in.
About the Author:
Chester Avey has over 10 years of experience in cybersecurity and business management. Since retiring he enjoys sharing his knowledge and experience through his writing.
Twitter: @ChesterAvey
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.