What CEOs and CFOs Should Know: The 7 Costs of SaaS Data Loss
Data protection and recovery are not just problems for the IT department. As organizations large and small seek advantages by adopting cloud and Software-as-a-Service (SaaS) applications, they face new risks to business continuity that affect all departments.
In addition to the Chief Technology Officer (CTO), senior executives all the way up to the President and Chief Executive Officer (CEO) need to understand these risks, as they affect all departments and aspects of a business. In this article, we explore:
- How data loss risk has changed since the advent of SaaS
- Seven ways organizations put themselves at risk if they lose SaaS data.
- What the C-Suite needs to do now
How Data Loss Risk has Changed Since the Advent of SaaS
Data protection responsibilities change when adopting SaaS applications, and so do the potential costs from these new data loss risks. When an organization subscribes to an application, it reduces its responsibility for maintaining the application and its supporting infrastructure — which frees up resources and enables greater agility.
The organization, however, still owns responsibility for their users of the app, and they own application configuration and application integration. They also share data responsibility with the SaaS application provider.
This means an organization using a SaaS application like Microsoft Office 365 may lose data through human error, and then find that Microsoft cannot restore that data. Even though Microsoft Office 365’s retention times can be customized, for example, there are limitations — your data ultimately can be lost.
Seven Costs of Data Loss
Since there are nontrivial costs associated with SaaS data loss, it’s a problem for all executives. Here are the seven costs of data loss.
- Productivity losses. If your organization suffers a ransomware attack, meaning your critical business data is locked up by attackers, Ponemon and Accenture research shows it can take on average 23 days to resolve — and more than 25% of organizations surveyed suffered ransomware attacks, nearly double the previous year. It can even necessitate the use of pen and paper for all work, instead of IT systems, until the ransomware is cleared. Can your organization afford to lose productivity over that length of time?
- Penalties and fines for noncompliance. Establishing a litigation hold is not in itself sufficient to protect an organization from penalties and fines. In 2016, one company “found themselves on the wrong end of a $3 million sanctions penalty for spoliation of evidence.”
- Reputational cost. If an organization’s reputation is damaged, as it would be in a public lawsuit involving data loss such as document spoliation, the cost of borrowing may rise, as in the examples provided here. “…the average incremental difference between a BBB rating and an A rating on a 10-yr note [approaches] 60 basis points…”
- Labor cost. According to a 2018 report by Ponemon and Accenture, it takes on average 50 days to resolve a malicious insiders attack. That includes effort across many departments — and time spent on recovery is essentially a loss, as its not spent on moving the organization forward.
- Recovery cost. An estimation based on 2013 data from Ponemon shows the cost per day to recover from a cyberattack is roughly $32,500, making a low estimated total of $1,625,000 without adjusting for 2018.
- Legal costs for non-compliance. Legal defense can be complicated by spoliation, or loss, of electronic data, and costs can rise along with data loss. “…a party’s litigation costs increased by approximately 10% for each type of dispute over ESI, including spoliation.”
- Revenue risks. If the data lost involves contracts, requests for support, or correspondence with customers, it can lead to lost business as well as reputational loss.
What can CEOs and CFOs do now to Reduce the Risks and Costs of Data Loss?
CEOs and CFOs have a fiduciary responsibility to the organization. If your executive team and IT organization haven’t recently discussed and implemented SaaS data recovery plans, now is the time to do so. Not all data requires the same level of protection, and that will be an important area for discussion.
All executives should be stakeholders in that planning, and should confirm that data loss recovery strategies and solutions have been tested, and are working — even in the event of an accidental data loss, such as from a sync error or an accidental data overwrite. Their trusted partners in IT should be comfortable demonstrating how they will meet agreed-upon Recovery Time Objectives (how much time is acceptable until lost data is recovered) and Recovery Point Objectives (how far back in time must data be recoverable).
Once planning is in process, you will need to budget for solutions purpose-built to enable fast recovery from SaaS data loss. While applications like Office 365 offer some native protection from data loss, and may provide ways to perform litigation holds, these are stop-gaps for fast, accurate recovery.
Bottom line — data is important to your organization, and you need to be able to recover from accidental or malicious losses quickly and efficiently.