Businesses hit by data breaches could now lose between $2 million and $300 million after an attack, according to Wendi Whitmore, the leader of IBM's X-Force Independent Response and Intelligence Services (IRIS) team. In a recent interview with ZDNet, the expert said that this is due to companies having to rebuild their infrastructure and recover lost data after every contemporary breach. The industry veteran noted that some of the more recent attacks have been caused by destructive malware, which is capable of either encrypting or deleting data from enterprise servers. These types of attacks not only result in a loss of data but also in the disruption of infrastructure and environment.
Whitmore said it is impossible for organizations to totally prevent malware or ransomware attacks. The security expert believes that companies should instead try to limit the impact of attacks on servers and computers that are not critical to their operations. Among the steps that businesses can take to limit the impact of a data breach is to ensure that employees are knowledgeable about account segregation and authentication controls. Furthermore, businesses could save around $1 million if they successfully control a data breach within a month, according to the same expert. However, despite the increasing costs of data breaches, Whitmore mentions that only 23-percent of companies actually have an incident response plan that deals with cyber attacks. Nonetheless, it seems that most organizations have made significant progress in protecting user data. IBM's data shows that 2.9 billion records were compromised last year, which is a 25-percent reduction compared to the 4 billion records breached in 2016.
Whitmore also discussed the impact of General Data Protection Regulation (GDPR), a legislation going into effect in the European Union next month. A number of tech companies including Facebook and Microsoft have already modified their services and products to comply with the regulation. The security expert noted that while the regulation is important for ensuring people's privacy, it could be difficult for companies to comply with the 72-hour time limit for notifying authorities about a data breach mandated by the incoming law. Whitmore said that during the first 72 hours of an incident being identified, companies usually do not have much information about a data breach in the first place, making it difficult for them to assess the situation and determine why the breach occurred, which is the kind of information that authorities will demand from them under GDPR.