The Huffington Post reports that Target Corporation's Chief Information Officer, Beth Jacob, has resigned from her position as the company looks to regroup after the largest data breach in U.S. history.
While Target is still investigating the data breach, it has announced that it will take certain steps to improve cyber security, including…
- Centralizing data security oversight.
- Issuing micro-chipped credit cards.
- Working with an IT consulting firm to overview its security and IT infrastructure.
These new measures will improve security, but it leads us to wonder about the psychology of a data breach. Why do so many businesses refuse to take data breaches seriously until it's too late?
Tell Clients: Don't Wait Until It's Too Late
All too often, companies assume that a data breach won't happen to them. Small businesses think breaches only happen to big businesses; big businesses think they don't need to invest in stricter security. Why is that?
Research clearly shows that attacks happen to businesses of all sizes. Furthermore, the Ponemon Institute – an organization that conducts independent research on data security and privacy – reports in a recent study that between data breach costs and identity theft lawsuits, businesses can expect to pay around $200 for each lost record. By this estimate, a small breach of 1,000 pieces of personal information would cost about $200,000. In other words, data breaches are really expensive.
But right now, many businesses prefer to keep their heads buried in the sand. It's only after they are attacked that they implement stronger security standards. Gee, wouldn't it be nice to have better security before a data breach?
It turns out that Target actually had planned to use micro-chipped credit cards years ago, but didn't think the cost was worth it. Now, after having lost millions of dollars (which could turn into billions), it is rethinking its timid approach to data security.
How to Overcome Reluctance from Clients
IT security consultants can face an uphill battle as they try to convince their clients to upgrade security. Let's look at some of these common objections and how you can respond to them:
- Objection: The cost of increased security is too high.
Your response: Adding security software and better IT infrastructure will cost more money, but these services cost far less than a data breach. Furthermore, upgrading your software and network comes with other non-security benefits, like better performance, usability, etc.
- Objection: I'll worry about security later.
Your response: Uh-uh. Nope. No way. That's not how security works. Security needs to be incorporated from the ground up. Many startups are struggling because they built apps that focused primarily on usability and disregarded security. Security can't be retrofitted. Technology just doesn't work that way. (For more on this myth, check out The Tech Startup Data Problem: Hacking as a Rite of Passage?)
- Objection: Security protocols are inconvenient.
Your response: Data breaches are REALLY inconvenient. Right now, Target would trade some "inconvenience" to avoid its declining stock value, hundreds of millions in lost revenue, and the dozens of lawsuits that have been filed against it.
- Objection: An attack is unlikely.
Your response: Car accidents are unlikely. But you wear a seat belt when you get in your car. You don't plan for what's likely. You plan to make sure your network can handle dangerous threats.
- Objection: If a hacker wants to break into a network, they can.
Your response: While hackers are persistent (and the malware they use is sophisticated), most data breaches are crimes of opportunity. In other words, if you have strong defenses, cyber criminals will look elsewhere and attack easier targets.
Your IT business needs to make sure clients understand the importance of data security, because you can wind up being liable. IT consultants and developers can be sued for a data breach that involves their software and networks they designed. Essentially, you're on the hook for your client's data security.
For this reason, small IT businesses need data breach coverage in an Errors and Omissions Insurance policy. To learn more, browse these free sample E&O Insurance quotes.