Oh, the embarrassment! Should your play delay tactics or avoid disclosure altogether? Here are 10 irrefutably factors to ponder over…

If your organization has suffered a data breach that affects owners of that data, senior management has legal obligation to disclose it. End of story.

Nah … Things are not so simple. Some firms will try to hide the incident. Others will disclose it but obfuscate the details to defuse the impact. With counsel from their brand consultants, other firms may try to offset the bad PR by flooding the media with positive fluff to distract the public.

Here is the pro tip that even the huge enterprises have tripped on: Failure to inform the public about a data breach in a timely manner can make the financial and reputational consequences of a data breach more severe.

Some high-profile cases include Yahoo!, who was fined and criticized for not notifying their investors about the data breach it experienced, and Uber’s fine for covering up an incident. 

Here are the remaining factors that will tip your data breach disclosure towards honesty, sincere attempts to mitigate damage mitigation and exhaustive effort to prevent future breaches:

1. According to a new report by Kaspersky, organizations that voluntarily inform their stakeholders and the public about a breach, on average, are likely to lose 40% less than their peers that prefer to be found out. Costs for small-and medium- sized enterprises (SMEs) that disclose a breach are estimated at US$93,000, while their peers that had an incident leaked to the media suffered $155k in damage.
   
2. For large enterprises, the same report, based on a global survey of more than 5,200 IT and cybersecurity practitioners, shows the less financial damage (28%) for those that honestly and promptly the incident.
   
3. Your organization can be among the 30% that try to hide the incident, or among the 24% that hide it and get found out (according to available data). Such defiant companies are at risk of losing even more if—or more likely when—the breach somehow gets known by the public after inexcusable delays.
   
4. The risks of heavier financial, punitive and reputational damage are especially high for those companies that could not immediately detect an attack. Some 29% of SMEs that took more than a week to identify a breach found the news in the press—double those that detected it almost immediately (15%). For enterprises, these figures are similar at 32% and 19% respectively. Even if your organizations gets off with a small penalty, it is no guarantee that brand damage and cumulative loss of consumer trust will not lead to its eventual downfall as more breaches hit it.
   
5. To detect breaches and contain them in a timely manner before immediate public disclosure, follow the vendor-neutral advice and insights in CybersecAsia.net and similar websites to guide your team in choosing the best solutions to automate your corporate network’s detection and disaster recovery abilities.
   
6. Organizations with limited resources to fund an in-house cybersecurity team should turn to external threat-intelligence and cyber-incidence response firms that can meet their budget.
   
7. Prevention is better than disclosing an embarrassing breach: Make sure your organization possesses provides basic endpoint detection and response capabilities for better all-round network visibility and automated response/alerting. Train every level of staff to imbibe a security-first culture, and make use of AI and digitalization features to make your organization natively-secure.
   
8. Sometimes, even the best-effort scenario can be foiled by hackers that have already targeted your organization for some reason. Minor cybersecurity incidents that are shrugged off by staff could actually be part of a patient reconnaissance campaign to time a massive attack. This is where threat intelligence consultancies can be worth investing in.
   
9. In the aftermath of disclosing a breach and taking full responsibility for mitigation and corporate accountability, conduct post mortem investigations and implement awareness training for all parties involved, including communication specialists, IT teams and even third-party vendors. Be wary of engaging PR agencies that try to dilute the gravity of the situation using standard stunts that the news media can detect (and respond unfavorably to) in an instant.
   
10. Remember: your organization can try to defy its legal obligations and even pay the fiscal penalties, but the resultant reputational damage can destroy consumer trust and ruin your company.

As Kaspersky’s Senior Product Marketing Manager Yana Shevchenko noted: “Proactive disclosure can help turn things around in a company’s favor; and it goes beyond just the financial impact. If customers know what happened firsthand, they are likelier to maintain their trust in the brand. Also, the company can give its clients recommendations on what to do next so that they can keep their assets protected. The company can also tell its side of the story by sharing reliable and correct information with the media, instead of publications relying on third-party sources that may depict the situation incorrectly.”