The cost to companies due to a data breach can bankrupt a business. There is no type of or size of an organization that isn’t a target of cybercrime. Several years ago, the CIA and NSA were victims of cyberattacks, and the attackers rubbed it in by exposing not only data they stole from these organizations but also by revealing the cyber tools they use. It’s natural to want to throw in the towel. After all, sometimes it feels like we just cannot win this battle. But it's a fight the good guys really can’t afford to lose.

While financial losses can be measured in investigative, notification, and litigation costs, it is nearly impossible to determine loss of business or damage to reputation due to a data breach or other type of cybercrime. And when we’re talking about a hospital—what amount of money can be attributed to lives that are lost or endangered due to a ransomware attack?

Target paid millions to settle a class action lawsuit after a breach in 2013. It also reported $61 million in losses on its earnings reports afterward. However, the number associated with litigation, fraud claims, and investigations is not known.

Companies do have a responsibility to protect data. It may be customer information, financial information, or “merely” employee data. Business email compromise (BEC) attacks are still common and costly. The FBI reported that losses to victims due to this totaled nearly $2.7 billion in 2022. The average amount lost per BEC attack was just over $125,600, representing a 300% increase since 2015.

In 2015, courts affirmed the Federal Trade Commission’s (FTC) authority to hold companies responsible for the loss of data and the harm caused to consumers if they do not follow cybersecurity practices that reasonably protect data. This means companies large and small should consider re-evaluating their cybersecurity strategies. At a minimum, they should cover these three basic areas:

1. Technical Tools

Technical tools should be implemented such as firewalls, anti-malware, and anti-virus solutions, as well as web filtering products. In addition, all systems should be patched and updated regularly and immediately with critical and security-related patches. Implementation and enforcement of a strong password policy is also necessary.

2. Training and Awareness

Training and awareness are essential to any organization, regardless of size. Unfortunately, phishing is the number one way that cybercriminals find their way into networks. Phishing complaints to the FBI regarding cybercrime numbered 300,497 costing $52 million to victims. This is why a thorough and continual training and awareness program is no longer optional.

3. Insurance Coverage

Cyber insurance is becoming more of a necessity in the same way as general liability insurance. After all it is no longer IF an organization will be breached, but when. Like other types of insurance, it can cover the costs of various activities such as investigations, litigation, and notification costs depending on the policy.

It’s worth the time to develop a cybersecurity strategy for any sized organization. For assistance and guidelines, check out the most recent Framework for Improving Critical Infrastructure Cybersecurity from the National Institute of Standards and Technology (NIST).