The volume and frequency of data breaches seem to have hit a new high in recent months. But away from the sensational headlines, do we really know what the impact of such incidents can be on the victim organisation’s reputation and bottom line? Centrify recently commissioned the Ponemon Institute to shine a light on exactly this area -- interviewing CMOs, IT practitioners and customers -- and uncovered some fascinating findings.
Not only do UK firms on average see a lasting share price slump of 5% following a breach, but many IT and marketing professionals are profoundly divided --from each other and the position of their customers -- on what their roles and responsibilities should be in protecting the organisation and its brand reputation.
To discuss the findings further, we gathered some of the most influential IT journalists in the UK to The Shard in London on Thursday.
Communication is Key
One of the key points to emerge from our roundtable debate on the report, The Impact of Data Breaches on Reputation & Share Value, was the importance of communication, both inside the organisation and externally. We all know that breaches to an extent are inevitable. However, it’s how the company responds that is important. As one of the journalists attending argued, if customers feel they’ve been treated with respect and informed of what has happened in a timely manner, they’ll be more forgiving. Yet the infamous example of TalkTalk shows how poor crisis comms can actually turn what was a limited data breach affecting a small percentage of customers into something that appears much worse, and affects the brand accordingly.
Marketing teams therefore need to be involved in the incident response process from the start, as key communicators. Yet often the IT team is in charge, and fails to talk to the business in a language it understands. This not only leads to poorly briefed spokespeople but can have a real impact on how much the board really cares about cybersecurity. In the report, 39% of IT practitioners and 36% of CMOs said they don’t believe brand protection is taken seriously in the C-Suite. This might be because the impact of a potential breach isn’t being communicated effectively. Every board meeting should feature a conversation about how can the organisation can get better at security. In fact, all staff should know the value of the data they handle and the impact on their employer if it ends up in the wrong hands.
Another journalist raised the important point that communication should also flow out to third party contractors and providers, who now make up an increasingly large and important part of modern organisations. They need to be educated about the value of data protection and audited in best practices.
Security as Differentiator
A third roundtable attendee questioned whether the public was now so fatigued with news of breaches, whether the impact would actually be that great at all. But let’s be in no doubt, 27% of those customers we spoke to claimed they’d left after a breach and 65% said they’d lost trust in the breached organisation. That’s a pretty major impact.
Smart organisations should be using security as a competitive differentiator, but at present there’s little in any outreach to shareholders and customers on what security measures and processes are in place. This kind of thing should be driven right from the top. Implement best practice security (more of which later) and measure it over time, communicating the difference.
A Damaging Disconnect
The report also reveals a worrying disconnect between the priorities of IT pros, CMOs and customers. Unsurprisingly, 79% of consumers believe organisations have an obligation to take reasonable steps to secure their personal information. Yet that figure drops significantly for CMOs (64%) and IT practitioners (66%), meaning around third of these roles don’t agree. Even more telling, just 23% of CMOs and 3% of IT practitioners said they’d be concerned about a decline in their companies’ stock price. Yet for IT pros, the biggest concern after a breach (63%) is the potential loss of their own jobs.
This all comes back to the communication problem inside organisations. Clearly there’s a link between a data breach -- and the IT function’s role in preventing it -- the share price, brand reputation and job losses. Everyone in the organisation should have a core mission to protect customer data, and therefore brand value and the share price -- after all their livelihoods depend on it. Yet employees are simply not joining the dots on this hugely important issue.
What To Do
The forthcoming European General Data Protection Regulation (GDPR), which will mandate 72-hour breach notifications, could raise the stakes even further. So, what should firms be focusing on to improve their security?
At the roundtable we made the point that throwing money at the problem isn’t going to work unless it’s spent in the right areas. The truth is that 80% of breaches come as a result of passwords and people having too much access to key systems. It’s therefore vital to limit access via things like least privilege policies and to enforce context-based multi-factor authentication, which will enhance password-based log-ins with extra authentication security if an attempt seems dodgy.
Aside from this, the firms we spoke to for the report that were judged to have a high Security Effectiveness Score -- which also saw a smaller share price drop following a breach -- featured some of the following:
- A dedicated CISO
- Strategic security investments, including enterprise-wide encryption
- Training and awareness programs to minimise employee negligence
- Regular security audits
- Comprehensive program to manage third-party risk
- Participation in threat sharing programs
Read "The Impact on Data Breaches on Reputation & Share Value" report fully here.
This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.