by Jennifer Dawson

Vermont sadly isn’t an outlier when it comes to its local businesses and public services suffering data breaches and cyber-attacks. Almost three years on from the attack on the UVM Health Network at the largest hospital in the state – security staff there say they’ve now made the necessary steps to ensure that patient data is safer than ever.

Experts, however, are warning that attacks like these are just becoming more commonplace. Business owners and members of the public need to be aware of the threats much sooner – and have the necessary security in place to deal with them.

With that in mind, what is the real cost of data breaches in our workplace – and can Vermont do more? 

Massive amounts of money lost

Since then, Vermont has also experienced a second attack that also had a severe impact. In July 2023 the CLOP Ransomware Gang who were already a known threat actor, infiltrated the MOVEit file transfer software. 

This was being used by a few public and private organizations in the state. The data breach that occurred was large-scale and it compromised the information of as many as 43 companies, regulated or doing business in the State. 

It was a third-party vendor called PBI Research Services who alerted the threat and notified all the relevant companies so they could take action at the time. 

These events always attract headlines – and result in companies having to fork out huge sums of money to put them right. Once the damage is paid for – you’d think that was the end of it, but even once breaches like the ones discussed above have been dealt with, the repercussions are felt for a long time afterward.

Creates long-term cyber issues

Data breaches do have lasting impacts. There are lots of other fees to think about such as:

• legal payments
• insurance payments
• regulatory fines
• costs of incident response
• recovery
• settlements.

Many organizations will experience a decline in earnings in the immediate aftermath of a data breach – and these monetary losses come in addition to all the other known reported costs such as regulatory fines and legal fees. Not to mention any settlements companies have to make with consumers, or other individual businesses and the state.

Indeed, some businesses have ended up billions of dollars out of pocket after a seemingly small-scale attack, that has had devastating impacts down the line. The cost of last year’s security breach in Vermont and its impacts aren’t fully known yet – but with so many businesses affected, it isn’t expected to be a ‘cheap fix’ at all. 

How can companies mitigate data security breaches? There are steps companies can take to avoid the data security mistakes that other businesses have made in the past.

However, it’s important to note that response plans to data security breaches often focus only on the technology side and include immediate legal responsibilities. 

There’s an urgent need for IT and data security personnel to get to work containing the threat straight away, ensuring the business is safe from further attack, and making sure the FBI and other relevant authorities are notified.  

A forensic examination of the attack – how defenses were breached and whose fault it was is essential. These investigations determine what needs to happen to avoid a breach in the future and what extra security must be put in place to avoid it happening again. 

However, what they don’t do is address the knock-on impacts we’ve discussed above – the ones that occur in the weeks and months after the attack has been caught and dealt with and the last point to consider is how to handle the potentially negative press coverage. 

What must businesses do in terms of securing their reputation after a data breach in the workplace? 

Companies must have an appropriate PR plan in place to ensure that they can deal proactively with any fallout that happens and find ways to handle negative press – which there inevitably will be.  The news will get out – it always does one way or the other – even if it’s a few months or even years down the line (as we saw with the hospital cyber attack). 

Demonstrating responsibility and honesty means companies won’t be completely unscathed but will retain some trust from their loyal customers and business partners. 

As we’ve seen, Vermont is no stranger to these kinds of attacks – and how it deals with them going forward will be key to its future success in the private and public sectors.