The Five Stages of Data Breach Grief
As a network security company, we have seen our share of frenzied business owners and IT leaders who have had their company data breached, held to ransom or sometimes, completely wiped.
It’s an unfortunate situation for anyone to be in and at best, stressful.
When you see something play out enough times, patterns start to emerge and compared to the stages of grief, the impact of a data breach on a business brings out the same effects.
It is quite interesting to see how much the feelings from a data breach align with grief, and at the end of the day, there can be huge amounts at stake such as jobs and livelihoods, and whole corporations.
Hopefully few of those reading this will ever have to experience the grief that comes with a breach. But those that will, here’s what to expect.
No-one wants to believe the shock that comes with a network breach. Whether it's the system you’re employed to protect, or the one that you have spent your livelihood building, learning you have been hacked can be an emotional time.
As with all alarming moments, reactions at this time are compulsive and not always well thought through which is why so many victims will completely deny a cyber attack on the first instant.
It’s not surprising. With such negative connotations to breaches, business owners will do everything they can to keep their reputation intact and this includes lying in the first instance.
In a recent survey as part of the Small Business Reputation and Cyber Risk Report, it was found that 58% of consumers say that a cyber breach would discouraged them from using a business in the future.
Many leaders are well aware of this figure and the impact of damage to both sales and the supply chain following an attack.
This brings us onto our next stage.
Following the act of refusing to believe you have been breached, hiding it from customers, suppliers and sometimes even employees, comes anger.
Attacks can and are devastating to businesses. Particularly SME’s who don’t have the size, reputation and financial backing to redeem themselves after losing much time and money following a network breach.
Those on the receiving end of the breach will be frustrated and looking for someone to blame. It could be an IT manager who takes the hit for not having the correct security precautions in place, it could be an employee who fell for a phishing scam and visited a bad website. It can sometimes be suppliers who’s bad connecting networks poison your own.
With 30% of attacks on SME’s leading to loss of clients, we can understand why business owners will be looking for someone to blame.
This stage of data breach grief is the first step towards acceptance.
The victim is finally coming to terms with the attack and recognises that something needs to be done about it. It’s at this point that the situation will be addressed.
The victim may contact their security provider to arrange a risk assessment to find the source of the attack. It can also be the point where the breached business will address its customers to explain what had happened and how it will affect them.
The main focus in the bargaining stage is to avoid the loss of reputation so often caused by an attack. Business will beg and plead with their customers to have patience.
This is an essential part. Over a quarter of attacked business claim a data breach causes customer delays. On top of potentially having their personal information exposed, causing them delays can add to the problem.
This is the calm after the storm when realisation kicks in. Up until this point is a frenzied rush of attention, angry customers, social media and security protocols.
Once all the noise has quieted down, the company has time to reflect and see exactly what damage has been caused.
There will be regulators to deal with (more so next year when GDPR is rolled out), employees to grill and security to purchase and update. Through this stage, companies will be helping to compensate customers for any monies lost, data infringed or time wasted. The can be costly and quite a depressing time to manage.
Eventually after impacts from the attack are are being dealt with, they will move on to the last stage of acceptance.
In the end, any company that has suffered a data breach will eventually ‘own’ it. There is no escaping it, and although many will deny and avoid situation for some time, the reality will catch up and they will be forced to deal with it.
Throughout the timeline of an attack, the business is forced to go through a range of emotions, and after everything has settled, the only thing to do is accept what has happened and learn from the attack to avoid any future occurrences.