The small and medium businesses (SMBs) that decide to voluntarily inform about a data breach, on average, are likely to lose 40 per cent less financial damage than their peers that saw the incident leaked to the media, according to a new report.
The financial loss for SMBs that disclose a breach to the public well within time are estimated at $93,000, while their peers that had an incident leaked to the media suffered $155,000 in damage.
The failure to suitably inform the public about a data breach in a timely manner can make the financial and reputational consequences of a data breach more severe, revealed the Kaspersky report titled ‘How businesses can minimize the cost of a data breach'.
The same tendency has also been found to be the case in enterprises.
Those that voluntarily inform their audiences about a breach experienced less financial damage (28 per cent) than those whose incidents were leaked to the press – $1.134 million compared to $1.583 million.
"Proactive disclosure can help turn things around in a company's favour – and it goes beyond just the financial impact. If customers know what happened firsthand, they are likely to maintain their trust in the brand," said Yana Shevchenko, Senior Product Marketing Manager at the cyber security firm Kaspersky.
Some high-profile cases include Yahoo!, who was fined and criticised for not notifying their investors about the data breach it experienced, and Uber's fine for covering up an incident.
The report, based on a global survey of more than 5,200 IT and cybersecurity practitioners, shows that organisations that take ownership of the situation usually mitigate the damage.
Only around half (46 per cent) of businesses revealed a breach proactively. Nearly 30 per cent of organisations that had experienced a data breach preferred not to disclose it.
Almost a quarter (24 per cent) of companies tried to hide the incident but saw it leaked to the media.
"Although minimal losses were reported by businesses that managed not to disclose the incident, this approach is far from ideal. Such companies are at risk of losing even more if -- or more likely when a cybersecurity incident is revealed to the public against their intentions," the report mentioned.
The survey further proved that risks are especially high for those companies that couldn't immediately detect an attack.
Nearly 29 per cent of SMBs that took more than a week to identify that they had been breached found the news in the press, which is double those that detected it almost immediately (15 per cent).
For enterprises, these figures are similar at 32 per cent and 19 per cent, respectively.