By Zee Johnson
2021 was coined the “Year of the Breach,” and 2022 didn’t lag far behind. In 2021, there were 1862 total data compromises, affecting 293,927,708 people. Though the total number of compromises was lower last year (1802), the increase in victims was staggering, rising by 70%, or 422 million more people.
Leaders are rightfully taking heed to these figures and are focusing their attention on tightening data security. In fact, about two in five (39%) respondents in HRO Today’s Top Concerns for CHROs Report cite cyber security as their top concern this year.
There are a number of actions that can be taken to stop or diminish the chance of an attack. But who’s the first in line on the defense? Who is most responsible for guarding critical information—employer or employee?
“All too often, organizations assume that if they put the right system or technology in place, critical information will be automatically protected,” says Mike Kiser, director of strategy and standards at SailPoint. “In reality, security is a team sport; this means, making the most secure usage patterns the default, easiest choice.”
Kiser notes that the responsibility ultimately falls on the organizations and those that build data security ethos into the company’s culture will remain the safest from threats.
Haider Iqbal, director of product marketing for Thales, agrees with aligning data protection with company culture, and says it takes time, practice, and shouldn’t be a one-off exercise. “Ongoing employee training on data protection and compliance obligations is imperative as part of a shared responsibility model between employees and the company,” he says. “Employees need to understand that in their organization's data protection arsenal, they are the first line of defense and can also be its greatest weakness. Employees are central to data protection.”
William MacMillan, senior vice president of information security at Salesforce, says in order to drive a “security-first” culture, organizations must make key investments. “As the threat landscape evolves, it is necessary for businesses to foster a security-first culture, which means investing in the proper tools, infrastructure, and ongoing training to keep cybersecurity at the top of employees’ minds,” he says. “For example, requiring multi-factor authentication (MFA) adds extra protection to the login process, such as entering a password and using an authentication app, to drastically reduce unauthorized access even if a password is stolen.”
Carmen Collins, director of IT and information security at Namecoach, says ultimately, it’s up to employers to highlight the importance of having secure functions. “The [company] should ensure there are multiple layers of protection,” she says. “Ultimately, the organization sets the tone and the culture regarding protecting company data.”
In 2021, there were 1862 total data compromises, affecting 293,927,708 people.
It’s no wonder that experts recommend ingraining data security into company culture; the consequences of a breach can be immense. An IBM report discovered that on average, a data breach costs U.S. companies $9.44 million, $5.09 million more than the global average. And another survey revealed that the cost of cybercrime is predicted to hit $8 trillion this year and will grow to $10.5 trillion in the next two years.
Harrowing consequences could spell trouble for HR. In an already oscillating and often unpredictable market, having the stigma of being an unsecure organization could greatly impact the employee experience and the quantity and quality of talent a company can attract.
CEO of NetSfere, Anurag Lal, says breaches are a worst-case, costly scenario that affect some industries far more than others. “Data breaches can be detrimental to enterprises,” he says. “Healthcare and financial institutions are usually the ones most at risk of breaches because they hold the information that hackers want. Protected healthcare information (PHI), banking information, is like gold for them.”
He says that last year, there were over 700 healthcare data breaches compromising the PHI of over 6 million individuals. In fact, the IBM report found that the healthcare industry was the most targeted sector for the past 12 years and the average cost of a breach went up 42% since 2020 ($10.10 million).
Wrapped in the cost of a breach, Iqbal says, are a slew of fees and fines for violations. “Enforcement powers under the EU's General Data Protection Regulation or GDPR are significant as violation fines can reach up to 20 million Euros or 4% of an organization's global annual revenue, per violation, whichever is larger,” he says. “In addition, there are intangible costs such as operational disruption, rises in insurance premiums and increased cost to raise debt.”
Aside from the financial burden—and possibly more significant—is the reputational damage. “One of the most obvious consequences is that customers will not do business with the organization any longer,” says Collins says. “There could be brand damage that lasts for years because every time someone searches the internet for that organization, information about the data breach is displayed.”
These days, hacking and cybercrimes are very common. So much so, that 83% of companies can expect some kind of breach to happen. Dr. Martin J. Kraemer, a security awareness advocate at KnowBe4, knows that the consequences are high, but believes brands are more than capable of repairing damage thereafter. “In the past, data breaches have affected stock prices. Stock prices have recovered soon enough in most cases, and today we can observe stock prices being less and less affected by data breaches,” he says. “This might be a testament to better business continuity planning and higher resilience of businesses, such that customers can be assured the company will get back on track quickly. It might also be a recognition of the inevitability of data breaches.”