When, not if

March 2016 Editor's Choice, Cyber Security, Security Services & Risk Management

What is one of the top worries of C-suite executives these days? Whether or not their company can survive a database breach.

Evan Bloom, CEO at Fortress Strategic Communications.
Evan Bloom, CEO at Fortress Strategic Communications.

And for good reason. A recent global survey conducted by Gemalto1 found that “nearly two-thirds (64%) of consumers surveyed worldwide say they are unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen, and almost half (49%) had the same opinion when it came to data breaches where personal information was stolen.”

The survey covered Australia, Brazil, France, Germany, Japan, the UK and the US, factoring in the opinions of 5750 consumers. Highlights describe the extent of the issue:

• 31% of respondents have already been affected by a data breach in the past.

• Only 25% of all respondents feel that companies take the protection and security of customer data very seriously.

• More than twice as many respondents feel that the responsibility of protecting and securing customer data falls on the company (69%) as opposed to the customer (31%).

• 23% of respondents who have been a victim of a data breach either have considered or would consider taking legal action against the breached company involved in exposing their personal information.

These findings indicate that consumers could potentially turn their backs on companies that do not protect their customer base, and may even take legal action. The results of the study might even lead some to jump to the conclusion that if a company is breached, its reputation and viability are doomed.

However, the evidence doesn’t follow this assumption. While many might imagine that a data breach and the ensuing media frenzy would trigger a reaction where customers, and then stakeholders would jump ship, in fact, as journalist Doug Drinkwater on CSO observes, “…on closer inspection, it could be argued that this reputation argument is a falsehood.” A data breach may actually have little or no impact on a company’s long-term reputation.

Drinkwater expertly backs up his opinion with clear examples of share price comparisons. Five large brands – Adobe, Target, eBay, JP Morgan, and Home Depot – demonstrated a share price increase over a 12-month period despite significant data breaches.

Drinkwater does not deny that damage is done to a company after a data breach: “customer loyalty damage is done in the event of a breach, and sales do take a nosedive.” But he simply argues that despite all the company costs related to a data breach, “additional security (pen testers, consultants, security vendors, PRs and lawyers), litigation and fines by data protection authorities,” the larger more entrenched companies “are confident they can ride on past the fines and fees, and keep hold of their customers.”

Finally, Drinkwater asserts that “It’s clear then that breaches do result in damaged trust, to a degree brand reputation, and bottom line. Target and JP Morgan pledged to spend an additional $100 million and $500 million on security post-breach, while Target also had to pay back card issuers, and lost $236 million in breach-related costs ($90 million of which was offset by insurance). The experts believe that this cost – and brand damage – can be significantly reduced if a breach is responded to properly.”

All indications show that Drinkwater’s observations are valid. Why? Larger companies that have been breached have the critical mass to absorb impacts to their reputations. They can ride out the storm, make amends to affected customers, activate policies, processes, and procedures to prevent and/or mitigate similar events in the future, and offer customers some form of identity theft protection for a period after the event.

The larger companies have the infrastructure, assets, and advisors necessary to react appropriately to a breach. They know that preparation and timely action are key. They put systems, policies and processes in place before a crisis to protect the company’s reputation and customer base.

Sadly, smaller companies pay a greater price. Either they are in their start-up phase and do not have the financial capacity to pay experts for advice and mitigating solutions, and/or they have not invested in a proactive public relations campaign as one of the key strategic factors that could help them survive a database breach.

Reputation protection options

Even though bigger companies have the resources to protect their reputations and weather a crisis, smaller companies do stand a better chance of recovering from a data breach with their reputations intact provided they take a number of steps:

Understand the risks

Smaller companies should understand the risks that they face on a daily basis. Many fail to conduct a risk and vulnerability audit to determine where they are at risk from a man-made, natural, or technology-based critical event that could decimate their business and income, or simply put them out of business.

Build a strategic PR campaign

A strong PR campaign built on the company’s business and marketing objectives is essential. Companies with an established brand and a proactive PR campaign with established relationships with key journalists stand a better chance of communicating effectively during a crisis, and the media will be more receptive to the company’s messaging because they are already familiar with the business.

Social media communications are a core component of a sound PR plan, both for communication and for monitoring. When a crisis happens, if strong media and social media monitoring protocols are already in place, the company will be able to efficiently track public and media sentiment and articulate its messaging accordingly.

Invest in a content marketing campaign

Focused, relevant, and consistent customer communications will result in customers being fully engaged with company messaging. Then, when a crisis hits, customer communication infrastructure is already set up, and all that is needed is the necessary honest and spin-free messaging, insight and updates. Engaged customers are more likely to continue being receptive to truthful and regular communications, and to potentially support a business during a crisis.

Without a customer communications strategy and infrastructure, it could take anywhere between a couple of hours or a few days to get the message out because content and a database will need to be created first. This is crisis communication lag time that a company may not have. A slow or poorly thought out response will reveal to the public that the company is reactive, not proactive. In the early days of a crisis, inadequate response can lead to losing the battle of the rumour mill, losing control of messaging, and above all, losing trust. It doesn’t take long for a company to be mortally wounded from a brand trust perspective.

Develop business continuity, incident response and disaster recovery plans

This critical component to staying afloat during hard times is strongly recommended in the Poneman Institute’s 2015 Cost of Data Breach Study for the United States, with benchmark data sponsored by IBM. Key players need to know how to respond to an emergency, what IT assets exist, how they should be used, if an invocation should be ordered, how and when a database should be rebuilt, who will be involved in response and recovery, etc.

Invest in a crisis communications plan

An effective crisis communications plan will work in tandem with the PR campaign and the business continuity plan. While it is impossible to have a crisis plan that encompasses every potential crisis scenario, a company should have a master crisis communications plan that is both easy to implement and flexible enough to incorporate change as events unfold.

The recent wave of hacking is indeed alarming. In the New York Post2, Bill Hardekopf, chief executive of LowCards.com, observes that “… people are getting freaked out by all the data breaches.” He adds, however, that retailers who have experienced breaches are probably more secure, more aware, and working harder today because of their experience.

Companies are rolling with the punches, and learning from their mistakes. They are learning that a relatively small investment in PR consulting ahead of time could pay off significantly in curtailing future losses, or even the loss of the business. As Warren Buffett reminds us, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”

In the current climate, it is no longer a matter of if a data breach will strike, but when. All companies should anticipate being hacked. What they do once the hack has occurred could save time, money, frustration, and their hard-won reputation. The bigger the company, the more resilient they may be when weathering a bad reputation storm. Smaller businesses are at greater risk: they must be ready and able to respond proactively and communicate as openly and rapidly as possible to preserve their customer base.


1 http://www.gemalto.com/press/Pages/Global-survey-by-Gemalto-reveals-impact-of-data-breaches-on-customer-loyalty.aspx

2 http://nypost.com/2016/01/16/how-to-fight-off-hackers-from-getting-into-your-wallet/

Based in Syracuse, N.Y., Fortress Strategic Communications provides specialised strategic public relations and crisis communications consulting to companies that offer products, services, and solutions designed to manage and mitigate all types of risk. The company represents African companies expanding to the US. For more information contact [email protected] or visit www.fortresscomms.com

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Security risk and the sum of small things
Leaderware Editor's Choice
Dr Craig Donald advises that the small things we often write off as unimportant can quickly scale to become serious threats to security and safety.

Be aware of privacy and cybercrimes issues
Security Services & Risk Management Cyber Security Retail (Industry)
Artificial intelligence (AI) is being deployed to help shoppers make better choices, but retailers must be aware of their obligations under personal privacy and cybercrimes laws.

Specialised surveillance and communications
Technews Publishing Editor's Choice News Integrated Solutions Residential Estate (Industry)
Hi-Tech Security Solutions spoke to Arcanum Africa’s Peter Stolwerk and Aaron van Schaik to find out a bit more about the company and the unique products it is bringing to the local market.

From Hill Street Blues, to Hillbrow, to managing risk for BMW
Technews Publishing Editor's Choice News Security Services & Risk Management
Jane-Eleanor Morrison’s success story starts from growing up in the stressful pre-democracy times in KZN, moves through a successful career in SAPS. to BMW South Africa where she is now the risk control manager.

Locally designed lock designed to stay locked
Editor's Choice
The new Blade Lock makes it close to impossible to break a lock by conventional means; combined with the Smart Gate, your security behind the door is certain.

Water deluge fire suppression system
FS Systems Editor's Choice Fire & Safety Mining (Industry) Products
The FS Group custom-designed and installed an electronically actuated water deluge fire suppression system for an underground explosives magazine, ensuring both the safety of miners and operations, as well as regulatory compliance.

A cyber security mesh platform underpins an interconnected digital world
Editor's Choice
In a world of interconnected people, devices, networks and applications, a cybersecurity mesh platform is the answer to mitigating ever-present cyber risks.

Look again at security automation
Editor's Choice
Hila Meller, BT Security, global head of sales, shares BT’s learnings on the top five things to consider for your security automation journey.

South Africa adopts ISO standard to guide use of social media in emergencies
Editor's Choice
The South African Bureau of Standards (SABS), through its technical committee, has adopted the ISO 22329 standard that provides guidance on the use of social media during an emergency or crisis.

Free and open-source tool for detecting stalkerware
Editor's Choice
Kaspersky has unveiled a new hub dedicated to TinyCheck, a unique, innovative tool designed to detect stalkerware on mobile devices.