There’s an old adage that says, “Honesty is the best policy.” A new survey from security vendor Kaspersky suggests it might also pay.
The survey, released Monday, says that on average, small and medium-sized businesses that tell stakeholders and the public about a data breach are likely to lose 40 per cent less than their peers that saw the incident leaked to the media. Data suggest the same tendency has also been found to be the case in enterprises.
“Proactive disclosure can help turn things around in a company’s favour, and it goes beyond just the financial impact,” said Yana Shevchenko, senior product marketing manager at Kaspersky. “If customers know what happened firsthand, they are more likely to maintain their trust in the brand. In addition, the company can give its clients recommendations on what to do next so that they can keep their assets protected. The company can also tell their side of the story by sharing reliable and correct information with the media, instead of publications relying on third-party sources that may depict the situation incorrectly.”
The conclusions are based on a global survey of more than 5,200 IT and cybersecurity practitioners in June. Costs for SMBs (firms with up to 999 employees) that disclose a breach are estimated at $93,000 (all figures in U.S. funds), while their peers that had an incident leaked to the media suffered $155,000 in damage.
The same is the case for enterprises. Those that voluntarily inform their audiences about a breach experienced less financial damage (28 per cent) than those whose incidents were leaked to the press – $1.134 million compared to $1.583 million.
In North America, around half (48 per cent) of businesses that responded to the survey revealed a breach proactively. In contrast, 27 per cent of organizations that had experienced a data breach preferred not to disclose it. A quarter (25 per cent) of companies tried to hide the incident but saw it leaked to the media.
Kaspersky also said that identifying a breach early gives businesses a much better chance of avoiding unexpected public disclosure. For example, 29 per cent of SMBs that took over a week to discover a breach said they saw it exposed in the press, compared to nearly half of that (15 per cent) if the breach is detected almost immediately. It’s a similar case for enterprises, with these figures standing at 32 per cent and 19 per cent respectively. “The pressure on speed when it comes to data breach discovery and reaction, therefore impacts both costs and reputational damage caused by public disclosure,” says the report.
In the U.S. and Canada, 39 per cent of those who proactively disclosed a breach said they reported the breach almost immediately, while 48 per cent said it took up to a week, and 50 per cent said it took over a week to disclose.
Note that the survey covers the public acknowledgment of a breach. In some jurisdictions, companies may have an obligation to report a breach of security controls to a regulator, but not to the public.