Data breaches: how long does the damage last?

Published: Oct 09, 2017
Author: by Rodolphe Simonetti

Data breaches can be very expensive. As well as the loss of revenue, there are all the costs of identifying and fixing the problem. And on top of that, there can be charges from card issuers to cover the cost of replacing cards and providing victims with identity-theft protection. Yet, perhaps surprisingly, many companies survive the immediate financial implications. And sales figures often climb back to pre-breach levels, and more.

But research shows that two-thirds of consumers would be unlikely to do business with an organization that experienced a breach where their financial and sensitive information was stolen[1]. While consumers might forgive quite quickly, they don’t forget. Consumer trust is hard to earn—and it’s even harder to win back.

Damage to your reputation could be irreparable

To make things worse, you can’t just stuff those skeletons in the closet. Online news and social media mean that news—often sensationalized—spreads fast and remains readily accessible. Your brand could be associated with poor cybersecurity long after the criminals have moved on and business is back to “normal.”

Even if your sales recover to pre-breach levels, how much trust will consumers have in your brand? They might continue buying from you out of convenience, habit or familiarity. But will they download your new mobile app, or sign up to your loyalty program? Gathering data is important to understanding your customers better, running successful marketing campaigns, developing the products and services they want, and offering the personalized experiences they expect. So, if you lose their trust and they choose to share less with you it could seriously harm your opportunities for growth.

How can you protect your company?

While you can never be completely safe from data breaches, if you handle payment cards Payment Card Industry Data Security Standard (PCI DSS) compliance is a must. Of all the data breach incidents Verizon has investigated since 2010, not a single organization was 100% compliant at the time of the breach.

But complying with the PCI DSS, or any other security standard, is just the first step. You need to build robust, resilient security controls that provide ongoing protection. Sadly, this is where many companies fall down. Our research shows that almost half of organizations struggle to maintain PCI DSS compliance year-round.

Organizations that concentrate on the long-term effectiveness of their security controls have a big advantage over those that focus on short-term compliance.

These five recommendations will help you build sustainable security controls that provide lasting protection:

  • Consolidate your security controls. The PCI DSS contains numerous interlinked data protection standards and regulations. Organizations should be able to use this to consolidate their controls, making them easier to manage overall.
  • Invest in training your employees. They should know how to enhance, monitor and measure the effectiveness of security controls.
  • Apply a balanced approach. Companies need to maintain an internal control environment that is both robust and resilient, to avoid falling out of compliance.
  • Automate everything possible. Applying data protection workflow and automation can be a huge asset, but make sure all automation is frequently audited.
  • Make sure controls work together. The performance of each security control is interlinked. If there’s a problem at the top, this will impact the controls at the bottom. All controls need to work together in an effective and sustainable way, to protect your data.

As your business changes, you need to work continuously to maintain compliance and keep your organization secure. Cybercriminals are constantly testing your defenses; hunting for hidden weak spots and new ways to get in. Unless you make resiliency a priority, your data and reputation will remain at risk.

Learn more about the risks and how to protect your business from cyberattacks.


Rodolphe Simonetti is the global managing director for the Security Assurance Consulting unit at Verizon.  He currently leads a team of 170 resources spread across 20 countries.  Rodolphe coordinates all security assurance services from simple assessments to complex programs within a global environment.  Security Assurance Services include Governance Risk and Compliance (GRC), Payment Card Industry (PCI), Healthcare (HIPAA), Industrial Control, Internet of Things (IoT), Penetration Testing, Code Reviews as well as Hardware, Software and Solutions testing and certification (ICSA Labs).


[1] Gemalto, Customer Loyalty Study, 2016