When, not if

March 2016 Editor's Choice, Cyber Security, Security Services & Risk Management

What is one of the top worries of C-suite executives these days? Whether or not their company can survive a database breach.

Evan Bloom, CEO at Fortress Strategic Communications.
Evan Bloom, CEO at Fortress Strategic Communications.

And for good reason. A recent global survey conducted by Gemalto1 found that “nearly two-thirds (64%) of consumers surveyed worldwide say they are unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen, and almost half (49%) had the same opinion when it came to data breaches where personal information was stolen.”

The survey covered Australia, Brazil, France, Germany, Japan, the UK and the US, factoring in the opinions of 5750 consumers. Highlights describe the extent of the issue:

• 31% of respondents have already been affected by a data breach in the past.

• Only 25% of all respondents feel that companies take the protection and security of customer data very seriously.

• More than twice as many respondents feel that the responsibility of protecting and securing customer data falls on the company (69%) as opposed to the customer (31%).

• 23% of respondents who have been a victim of a data breach either have considered or would consider taking legal action against the breached company involved in exposing their personal information.

These findings indicate that consumers could potentially turn their backs on companies that do not protect their customer base, and may even take legal action. The results of the study might even lead some to jump to the conclusion that if a company is breached, its reputation and viability are doomed.

However, the evidence doesn’t follow this assumption. While many might imagine that a data breach and the ensuing media frenzy would trigger a reaction where customers, and then stakeholders would jump ship, in fact, as journalist Doug Drinkwater on CSO observes, “…on closer inspection, it could be argued that this reputation argument is a falsehood.” A data breach may actually have little or no impact on a company’s long-term reputation.

Drinkwater expertly backs up his opinion with clear examples of share price comparisons. Five large brands – Adobe, Target, eBay, JP Morgan, and Home Depot – demonstrated a share price increase over a 12-month period despite significant data breaches.

Drinkwater does not deny that damage is done to a company after a data breach: “customer loyalty damage is done in the event of a breach, and sales do take a nosedive.” But he simply argues that despite all the company costs related to a data breach, “additional security (pen testers, consultants, security vendors, PRs and lawyers), litigation and fines by data protection authorities,” the larger more entrenched companies “are confident they can ride on past the fines and fees, and keep hold of their customers.”

Finally, Drinkwater asserts that “It’s clear then that breaches do result in damaged trust, to a degree brand reputation, and bottom line. Target and JP Morgan pledged to spend an additional $100 million and $500 million on security post-breach, while Target also had to pay back card issuers, and lost $236 million in breach-related costs ($90 million of which was offset by insurance). The experts believe that this cost – and brand damage – can be significantly reduced if a breach is responded to properly.”

All indications show that Drinkwater’s observations are valid. Why? Larger companies that have been breached have the critical mass to absorb impacts to their reputations. They can ride out the storm, make amends to affected customers, activate policies, processes, and procedures to prevent and/or mitigate similar events in the future, and offer customers some form of identity theft protection for a period after the event.

The larger companies have the infrastructure, assets, and advisors necessary to react appropriately to a breach. They know that preparation and timely action are key. They put systems, policies and processes in place before a crisis to protect the company’s reputation and customer base.

Sadly, smaller companies pay a greater price. Either they are in their start-up phase and do not have the financial capacity to pay experts for advice and mitigating solutions, and/or they have not invested in a proactive public relations campaign as one of the key strategic factors that could help them survive a database breach.

Reputation protection options

Even though bigger companies have the resources to protect their reputations and weather a crisis, smaller companies do stand a better chance of recovering from a data breach with their reputations intact provided they take a number of steps:

Understand the risks

Smaller companies should understand the risks that they face on a daily basis. Many fail to conduct a risk and vulnerability audit to determine where they are at risk from a man-made, natural, or technology-based critical event that could decimate their business and income, or simply put them out of business.

Build a strategic PR campaign

A strong PR campaign built on the company’s business and marketing objectives is essential. Companies with an established brand and a proactive PR campaign with established relationships with key journalists stand a better chance of communicating effectively during a crisis, and the media will be more receptive to the company’s messaging because they are already familiar with the business.

Social media communications are a core component of a sound PR plan, both for communication and for monitoring. When a crisis happens, if strong media and social media monitoring protocols are already in place, the company will be able to efficiently track public and media sentiment and articulate its messaging accordingly.

Invest in a content marketing campaign

Focused, relevant, and consistent customer communications will result in customers being fully engaged with company messaging. Then, when a crisis hits, customer communication infrastructure is already set up, and all that is needed is the necessary honest and spin-free messaging, insight and updates. Engaged customers are more likely to continue being receptive to truthful and regular communications, and to potentially support a business during a crisis.

Without a customer communications strategy and infrastructure, it could take anywhere between a couple of hours or a few days to get the message out because content and a database will need to be created first. This is crisis communication lag time that a company may not have. A slow or poorly thought out response will reveal to the public that the company is reactive, not proactive. In the early days of a crisis, inadequate response can lead to losing the battle of the rumour mill, losing control of messaging, and above all, losing trust. It doesn’t take long for a company to be mortally wounded from a brand trust perspective.

Develop business continuity, incident response and disaster recovery plans

This critical component to staying afloat during hard times is strongly recommended in the Poneman Institute’s 2015 Cost of Data Breach Study for the United States, with benchmark data sponsored by IBM. Key players need to know how to respond to an emergency, what IT assets exist, how they should be used, if an invocation should be ordered, how and when a database should be rebuilt, who will be involved in response and recovery, etc.

Invest in a crisis communications plan

An effective crisis communications plan will work in tandem with the PR campaign and the business continuity plan. While it is impossible to have a crisis plan that encompasses every potential crisis scenario, a company should have a master crisis communications plan that is both easy to implement and flexible enough to incorporate change as events unfold.

The recent wave of hacking is indeed alarming. In the New York Post2, Bill Hardekopf, chief executive of LowCards.com, observes that “… people are getting freaked out by all the data breaches.” He adds, however, that retailers who have experienced breaches are probably more secure, more aware, and working harder today because of their experience.

Companies are rolling with the punches, and learning from their mistakes. They are learning that a relatively small investment in PR consulting ahead of time could pay off significantly in curtailing future losses, or even the loss of the business. As Warren Buffett reminds us, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”

In the current climate, it is no longer a matter of if a data breach will strike, but when. All companies should anticipate being hacked. What they do once the hack has occurred could save time, money, frustration, and their hard-won reputation. The bigger the company, the more resilient they may be when weathering a bad reputation storm. Smaller businesses are at greater risk: they must be ready and able to respond proactively and communicate as openly and rapidly as possible to preserve their customer base.


1 http://www.gemalto.com/press/Pages/Global-survey-by-Gemalto-reveals-impact-of-data-breaches-on-customer-loyalty.aspx

2 http://nypost.com/2016/01/16/how-to-fight-off-hackers-from-getting-into-your-wallet/

Based in Syracuse, N.Y., Fortress Strategic Communications provides specialised strategic public relations and crisis communications consulting to companies that offer products, services, and solutions designed to manage and mitigate all types of risk. The company represents African companies expanding to the US. For more information contact [email protected] or visit www.fortresscomms.com

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

The components of and need for cyber resilience
Cyber Security Security Services & Risk Management
Organisations need to implement a comprehensive cyber resilience solution with data protection, backup, disaster recovery and business continuity to protect against ever-more complex and rising cyberthreats.

Preventing cyberattacks on critical infrastructure
Industrial (Industry) Cyber Security
Cyberattacks have the potential to disrupt our lives completely, and in instances where critical national infrastructure is attacked, they could disrupt the country’s entire economy, leading to loss of life and livelihoods.

Unrecoverable encrypted data
News Cyber Security
Cybersecurity research indicates that 76% of organisations admit to paying ransomware criminals, however, one-third are still unable to recover data.

Is the smoke beginning to clear for password security?
Access Control & Identity Management Security Services & Risk Management
The password problem is the result of bad habits, and they can be hard to break. But ask anyone that has done it and they will not tire of telling you the benefits.

The benefits of investing in whole-house surge protection
Smart Home Automation Security Services & Risk Management Residential Estate (Industry)
When you consider that the potential for equipment damage can run well into the hundreds of thousands of rands, whole-house surge protection is a worthwhile expense.

Arcserve launches N Series appliances
IT infrastructure Cyber Security
Arcserve introduces N Series appliances offering enterprise-level integrated data protection, recovery and cybersecurity to allow customers to simplify their IT environments and secure data.

Are you your insider threat?
Technews Publishing Editor's Choice Security Services & Risk Management Commercial (Industry)
Insider threats are a critical aspect of risk management today, but what happens when it is the owner of the company acting fraudulently and making sure none of his staff can catch him?

Storage is essential for a comprehensive cybersecurity strategy
Integrated Solutions Cyber Security
Cyber resilience is the ability of an enterprise to limit the impact of security incidents by deploying and arranging appropriate security tools and processes.

Passion, drive and hard work
Technews Publishing Editor's Choice CCTV, Surveillance & Remote Monitoring Security Services & Risk Management
Colleen Glaeser is a leader in the security market, having made her mark in the male-dominated security industry through determination and hard work, along with a vision of making the world a safer place.

2022 trends in video surveillance
Eagle Eye Networks Editor's Choice CCTV, Surveillance & Remote Monitoring Integrated Solutions
Eagle Eye Networks predicts what will impact the video surveillance industry in the coming year and how to seize opportunities and forge a path to success, even amid ongoing uncertainties.