Big corporations attract the most press when they are hacked, but mid-sized organizations are increasingly becoming an attractive target for data breaches because of their size and potential for easier infiltration.

We believe that mid-sized organizations ($100M-$1B in revenue) don’t receive enough attention. They may or may not have a CISO or director of cybersecurity, yet a data breach can have as significant an impact on operations, reputation, and financial health as the big guys…maybe greater.

You’ve heard about the “hard” costs of a data breach:

  • The average cost of a data breach is between $3.86-$3.92M, depending on the source of your research.
  • In regulated industries, like healthcare and finance/banking, the costs can be much higher. In finance, the cost can be $210 per record, and, in healthcare, it’s twice the cost at $429 per record with the average breach size at 25K.

They also include the cost of increased cyber insurance, legal fees, advertising, customer reporting, and lost revenue that impacts market value. In a mid-sized business, these costs affect employees’ livelihood, as well as senior leadership’s, particularly impacting owners in privately-held organizations.

These costs can cripple a mid-sized organization. That’s true.

 

…But what about the “soft” costs of a data breach?

But, there is a greater, somewhat hidden cost of data breaches that infects an organization beyond the initial hack or breach. These “soft” costs are organization killers.

When we consider the soft costs of a breach, they all come down to decreased trust and changed perceptions of organizational strength.

About one-third of customers will stop doing business with organizations who’ve been breached.
But, while diminished trust with customers is an enormous consequence, consider the long-term effect on these other, mission-critical relationships for your organization:

  1. Recruiting employees: Not only do current employees pay a cost in reputation, but prospective employees are less likely to apply for a job with a company known to have suffered a breach. This is a common, yet often overlooked, cost of a data breach.
  2. Investors and shareholders: Certainly, investors view any breach or cybersecurity risk as a threat to their investment and future returns. Shareholders may hold back on further stock purchases or, worse yet, dump the existing stock.
  3. Industry partners: Opportunities to collaborate with more prominent organizations could diminish or disappear as word gets out about the hit to the organization’s stability.
  4. Vendors: Many suppliers may change their financial terms, require higher minimum orders, or not be open to working with you anymore due to the instability caused by a breach.
  5. Regional and professional communities: The community where an organization sits — geographically, financially, and professionally — could question the value of the organization. They may back off from giving awards, offering marketing, or other valuable opportunities.
  6. Industry media: When it comes to data breaches (and their associated costs) the old saying of “any PR is good PR” couldn’t be more wrong. The industry may dig deeper into your organization’s position and stature after your cybersecurity stock has fallen.
  7. Personal data breach cost: Executives who represent the top-tier of mid-sized organizations bear the cost professionally and personally (sometimes financially and legally) among their industry peers, which can affect career opportunities.

These relationships make up the ecosystem where your organization wants to emulate strength, competence, innovation, and stability. Robust cybersecurity programs are essential to avoid degradation of trust with all of these stakeholders.

In fact, proof of cybersecurity maturity is a valuable asset and a differentiator for mid-sized organizations.

When we work with mid-sized organizations, we recommend a targeted approach that prioritizes the right methodology or strategy based on your unique industry, regulatory, and customer requirements.

We help you answer questions like:

  • Do you need a Centralized Data Loss Prevention (DLP) program?
  • What level of data inventory and classification is appropriate?
  • What users and devices (especially mobile) should have access to sensitive data?
  • What does proper cloud security look like now and in the future?
  • Which compliance rules apply to you, and which security frameworks would fit your needs best?
  • How should multi-factor authentication be applied?
  • How attentive are you to protecting customer data? What’s missing?
  • How can we bring impactful, efficient awareness training to employees?
  • Which monitoring and reporting tools would give you timely insights to identify potential threats?
  • Are you prepared for a breach? How quickly could you bring operations back to full capacity?

As you examine the cyber strength of your mid-sized organization, think about how your ecosystem would change due to a breach. Then, contact us. We can help you sort out what’s helpful and what’s just hype so that we can help you avoid a data breach and their associated costs.

Contact Us

Luke Wawrzeniak, Manager

Luke is a cybersecurity consulting professional with extensive experience developing and implementing Governance, Risk, and Compliance Management strategies and project execution.

He has helped clients mitigate regulatory and audit findings by achieving compliance with the following frameworks: NIST, ISO 27001, HIPAA, PCI, SOC2, and HITRUST.