Building Customer Trust Before and After a Breach

There has been a lot of news in the past few years about increased cybersecurity regulations and the potential fines they could impose on companies. From the E.U.’s General Data Protection Act to the California Consumer Privacy Act, the thought of government fines have left many businesses worried. And while it’s certainly something to be concerned about, studies have shown that the biggest cost to organization’s follow a breach isn’t regulatory fines, but loss of customers.  

In fact, according to this year’s Ponemon report, lost business has been the largest source of breach costs for four years running. The report shows that, above all other factors, customer loss accounts 36% of the total cost of a data breach — or an average of $1.42 million in lost business 

Placing more emphasis on customer retention both before and after a data breach will therefore greatly reduce the costs a breach could have on an organization. The Ponemon report shows that where businesses that were able to keep customer turnover below 1% experienced an average total breach cost of $2.8 million, organizations with customer turnover of 4% or more averaged a total cost of $5.7 million.  

And there are a number of different steps an organization can take to help keep customer turnover as low as possible. 

Customer Retention, Before and After a Breach


You don’t want to wait until after a data breach to tell your customers that you prioritize cybersecurity. It will come across as insincere. After all, what reasons have you given to make customers believe it? That’s why placing an emphasis on your commitment to cybersecurity and protecting customer data before a breach is essential. 

A key way to show your commitment is to have a governance structure in place that shows you prioritize cybersecurity. The Ponemon report shows that organizations with an established executive position responsible for ensuring the protection of customer data directly helps to reduce lost business.  

Educating customers about privacy is another great way to build trust. Be upfront with your customers when it comes to how you use their information and why. This can involve having an accessible and clearly written privacy policyinforming customers about your use of cookiesand recommending the use of multifactor identification 


In the event a breach does occur, not all hope is lost. Your customers will be rightfully concerned, but making it a priority to show what steps your taking to mitigate the effects of the breach will go a long way toward retaining those customers.  

An important way to show this is first and foremost to promptly notify those effected about the breach. If a breach occurs, you don’t want to look like you were dragging your feet. There is no surer way to lose customer trust than to seem like you’re hiding the fact that customer data was lost.  

After notifying your customers, you also want to provide help for customers that were effectedProviding comprehensive identity theft prevention tools and requiring customers to reset their password are two good ways to do this. In fact, the Ponemon report found that organizations that offered data breach victims identity protection experienced a smaller amount of customer turnover.  


After a breach, companies are fond of talking about the how committed they are to protecting customer privacy. But the bottom line is that you want to prove this to your customers. Showing respect for their privacy before a breach occurs and especially afterwards will greatly reduce the impact your company will endure.  

Time is not on our side

Among the many things that Equifax has been criticized for, one of them is the amount of time it took the company to identify, contain and then notify customers about the breach. The breach initially occurred on May 14th but went undetected until in the very end of July. From there, it took the company an additional month to official announce that the breach occurred.  

But the sad truth is Equifax’s response time is actually a lot faster than a lot of other organizations that suffered data breaches. One of the factors that The Ponemon Institute looks at in their annual Cost of a Data Breach Report is what they call the breach lifecycle. The lifecycle of a breach is defined as the time between when a data breach initially occurs and when the breach is finally contained. And the average breach lifecycle is shockingly long. According to the report, the average lifecycle came to a total of 279 days — a combination of 206 days to identify the breach and 73 days to contain it. And the report found that this number grew significantly over the past year, representing an almost 5% increase over 2018’s breach lifecycle of 266 days.  

The impact of a long breach lifecycle for a company is not just a public perception of incompetence, it also dramatically increases the costs experienced. The report found that organizations with a breach lifecycle longer than 200 days saw much higher costs. Breaches that took under 200 days cost an average of $3.34 million, where long breach cycles were found to be 37% or $1.22 million more costly for organizations, for a total average of $4.56 million. Simply put, the faster a data breach can be identified and contained, the lower the costs.  

Shortening the Lifecycle of a Breach

It is therefore pretty apparent that, in the event a breach occurs, organization’s need to be prepared to respond as quickly as possible. Response to a breach involves two basic elements: detection and containment. Here are a few ways organizations can help reduce the length for both.  


The Ponemon report shows that detecting a breach is by far the largest factor in the length of a breach’s lifecycle. Malicious attacks want to keep their access for as long as possible, so will work to cover their tracks. And breaches caused by errors are often overlooked because, well, if we knew we made a mistake we wouldn’t have made it.  

It’s therefore important to constantly stay vigilant for signs that a breach has occurred. It can be difficult to constantly monitor all systems for any anomalies. Intrusion detection systems (IDS) are helpful here as well as Security Information and Event Management (SIEM) systems which collect system information (logs) and will provide alerts if there is anomalous activity.  It the very least it is important to centralize your logging, conduct regular vulnerability and anti-malware scans of removable devices and regularly check your administrative accounts for unauthorized changes or additions.

And while different types of breaches produce different signs, there are a number of general indications that can help tip off when something is wrong. Repeated system crashes, unusually high system activity, and unapproved configuration changes are all common indications of an attack. It may be nothing, but it’s far better to be overly cautious than to assume everything is fine only to later find out something was wrong after all.  


The first step to containing a breach should actually happen before a breach even occurs: implementing an incident response plan and regularly practicing responses to cyber-attacks. The Ponemon report found that organizations with incident response plans and who simulate attacks were able to reduce the cost of a breach $1.23 million.  

The response itself largely depends on the cause of the breach. Whether it’s applying new security patches, updating user credentials, wiping stolen devices or something else, the essential point to is be able to quickly identify how the breach occur and respond accordingly. The time to prepare is before a breach, not after.

Reducing the Cost of a Breach

The thought of a data breach is enough to send a chill down any business owner’s spine. And rightly so. Last month The Ponemon Institute released its annual Cost of a Data Breach Report, showing that the cost for companies that experience a breach continues to rise. According to the report, data breaches cost U.S. companies an average of $8.19 million per breach — far above the global average of $3.92 million.  

And the news is even worse for small businesses. The report found that smaller organizations suffer higher costs relative to larger ones. While a data breach will cost a large organization $204 per employee, smaller organization see that cost jump up to $3,533 per employee.  

The report also shows that a single breach can have a long-term impact on a business. New in this year’s report is an analysis of so-called “longtail costs” that show how organizations feel the impact or the breach years after it occurred. It turns out that only 67% of the cost of a breach comes in the first year, with 22% in the second year, and 11% in the third.  

Reducing the Cost of a Breach

So that’s the bad news. Luckily, the report also lays out a number of steps that have proven to significantly reduce the cost of a breach.  

Incident Response Plan and Simulation 

By far, the most effective way to reduce breach costs is to respond quickly. The report found that on average it took companies 206 days to identify a breach and another 73 days to contain it. However, those that were able to find and stop a breach in under 200 days saved a whopping $1.2 million.  

The best way to ensure you’re able to response fast is to have a detailed incident response team in place and conduct periodic tests of your response plan. According to the report, the combination of an IR plan and regular incident simulations leads to greater cost savings than any single security process — saving an organization an average of $1.23 million 


The report also shows that properly encrypting your most sensitive data will help reduce the cost of a breach. Encrypting data essentially scrambles up your information so that it can’t be read without a key to unencrypt it. According to the report, companies that encrypt their data on premise, at the endpoint, in transit, and in the cloud reduced the cost of a breach by an average of $360,000. 

Security Automation 

More and more organizations are using security automation such as machine learninganalytics, and incident response orchestration to fast identify and contain system vulnerabilities. According to the report, the cost of a data breach is 95% higher for organizations without security automation in place. There are a number of automated security processes available, but even just conducting regular vulnerability scans will go a long way toward reducing the cost of a breach.  

Customer-Centric Governance

The report also found that companies with effective governance and leadership in place, such as a chief privacy officer or chief information security officer who focuses on preserving customer trust is a key driver in reducing breach costs and maintaining a companies key asset:  it’s reputation.

Keep Things Simple  

Another interesting aspect of the report is that it shows that, when it comes to security technology, more is not always better. Excessive use of third parties, extensive cloud migration, and system complexity all increase the cost of a data breach. It’s therefore important to minimize the complexity of your security technologies where possible.  


All in all, business owners can’t just cross their fingers and hope nothing bad happens. This past year, the chances of a company experiencing a breach in within two years increased to nearly 30% — a statistic that has jumped up by a third in just five years. As the report shows, preparing now can greatly reduce the financial impact if the worst does happen. The thought of experiencing a data breach is enough to make anyone feel powerless, but, from impact reduction to a fully prepared incident response team, there are concrete steps anyone can take to take back control of the situation.  

Public Entities Prime Targets for Ransomware

There have been a number of well publicized ransomware attacks on various public administrations this year. In May, for example, the city of Balitmore discovered a ransomware attack in which a variety of information and services such as voice mail, email, and a system used to pay water bills, property taxes and vehicle citations were stolen. The attack also put a halt on at least 1,500 pending home sales.  

In essence, ransomware is a form of malware where access to databases or computer systems are blocked until the effected entity pays a sum of money. Often, the attackers will threaten to permanently erase the information I the ransom isn’t paid quickly.  

A New Trend

Ransomware attacks on local governments are becoming a real trend. A report published by Recorded Future found that there have been 169 reported ransomware attacks against government agencies since 2013. 

And the number of attacks per year is on the rise. When the report was published in April, there were already 21 government attacks reported in 2019. Since then, ransomware attacks effected not only Balitmore, but also, among others, Lynn, MassachusettsCartersville, GeorgiaGeorgia’s state court system, and three separate Florida municipalities 

To Pay or Not to Pay

Another finding of the Recorded Future report is that governments are less likely to pay hackers. While 45% of all organizations attacked pay the ransom, only 17% of government agencies reported that they paid.  

Whether or not to pay hackers involves a complicated risk-benefit analysis. Not paying can lead to the permanent erasure of important systems and could cost tens of millions to recover. But while ransoms are generally in the thousands, paying the hackers creates incentive for future ransomware attacks.  

Why are Public Institutions Being Targeted?

So, why are government agencies experiencing all these attacks. Well, as it turns out, they are instead considered by hackers to be low-hanging fruit. According to Tyler Moore, professor of cybersecurity at the University of Tulsa, ransomware attacks tend to select victims that rely heavily on information-technology resources, have relatively weak operational cybersecurity practices and have the means to pay substantial ransoms.” And public institutions check all three boxes.  

Government agencies are notoriously out of step when it comes to IT. Budgets for IT systems are often too tight for them to keep up. In fact, the Washington Post reported that the Balitmore attack was only successful because the city had not installed freely available security patches and did regularly backup their information.  

Ransomware hackers are opportunistic. After all, why spend the time breaking into well-secured systems when there are plenty of easy-to-access systems out there? Even the most basic security settings can help prevent ransomware attacks. And in the event an attack does happen, creating regular backups of key systems and having a response plan in place will go a long way toward mitigating the effects of an attack.  

Invasion of the Data Snatchers

As you’ve probably heard by now, this week Capital One became the latest company to experience a massive breach of consumer information. According to the company, the breach includes the compromised data of over 100 million individuals. Those effected includes both Capital One customers and those who submitted a credit card application within the past 14 years. Most notably, the information stolen includes about 140,000 Social Security number and 80,000 bank account numbers. However, information such as names, addresses, reported income, and credit scores were also compromised in the attack.  

One of the most interesting aspects of the breach is that the hacker reportedly responsible for breach, once worked for Amazon Web Services, which hosts the Capital One database that was compromised. Paige Thompson, the woman allegedly responsible for the attack, gained access to the database by making use of credentials for the web application’s firewall. This makes the attack just the latest in a long list of breaches involving insider threats via a third-party.  It is also the latest in a long line of breaches where the access was gained through a web application.

Too Early for Key Takeaways Except for One Big Takeaway

A lot remains unknown about the role Ms. Paige was playing, how she moved through the AWS space (Capital One was not the only company she gained access to) and what her motives were.  However, it does show that Capital One’s Incidence Response team was prepared to move quickly once the incident was made known.  In some cases, being very good at dealing with a crisis is perhaps your strongest (and maybe only) defense.

Equifax Hit Hard — Will it Matter?

On Monday it was announced that Equifax will pay up to $700 million in a settlement with the Federal Trade Commission. The settlement will end the numerous federal and state lawsuits filed against Equifax after the 2017 data breach.  

The attack initially occurred after the company failed to patch a vulnerability in their systems, one they had learned about months earlier. The breach, now considered one of the largest in history, exposed personal information such as names, social security, and payment information of over 145 million users In short, the fines amount to about about $4 per impacted person.

In Monday’s settlement, Equifax agreed to pay a minimum of $380.5 million in restitution funds for consumers effected by the breach. The company will add up to $125 million more to the fund if the initial amount runs out. Equifax will also provide free credit monitoring services for those effected.  

Alongside the restitution fund, Equifax will pay $175 million in order to end investigations by 50 state attorneys general, and an additional $100 million to end investigations by the Consumer Financial Protection Bureau and the Federal Trade Commission. 

The settlement will now go to the courts for approval. After that, consumers will be able to file a claim for credit monitoring, identity restoration services, and cash payments of up to $20,000. Information on the settlement and claims will be updated here. 

Business as Usual?

With Equifax making $3.4 billion in revenue in 2018, the settlement adds up to about 20% of their revenues (Equifax already took a charge of 690 million in Q1 of this year in anticipation of the fines. However, after an initial drop in stock price, the company has largely recovered financially from the scandal. As of today, Equifax’s stock remains unaffected by news of the settlement.  

Alongside Equifax, several large tech companies are beginning to face fines for mishandling consumer information. In March, it was announced the E.U. would fine Google $1.7 billion and earlier this month the FTC approved a $5 billion fine against Facebook. The question that needs to be asked now is how effective these fines really are. Will they be effective as a deterrent or will these large corporations simply factor them into the cost of business?  

From the standpoint of consumers, it’s beginning to seem like real change will only occur through a mix of government regulation and, perhaps more importantly, market demand. It will be up to consumers to demand that their privacy is not something to be taken lightly.