When, not if

March 2016 Editor's Choice, Information Security, Security Services & Risk Management

What is one of the top worries of C-suite executives these days? Whether or not their company can survive a database breach.

Evan Bloom, CEO at Fortress Strategic Communications.
Evan Bloom, CEO at Fortress Strategic Communications.

And for good reason. A recent global survey conducted by Gemalto1 found that “nearly two-thirds (64%) of consumers surveyed worldwide say they are unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen, and almost half (49%) had the same opinion when it came to data breaches where personal information was stolen.”

The survey covered Australia, Brazil, France, Germany, Japan, the UK and the US, factoring in the opinions of 5750 consumers. Highlights describe the extent of the issue:

• 31% of respondents have already been affected by a data breach in the past.

• Only 25% of all respondents feel that companies take the protection and security of customer data very seriously.

• More than twice as many respondents feel that the responsibility of protecting and securing customer data falls on the company (69%) as opposed to the customer (31%).

• 23% of respondents who have been a victim of a data breach either have considered or would consider taking legal action against the breached company involved in exposing their personal information.

These findings indicate that consumers could potentially turn their backs on companies that do not protect their customer base, and may even take legal action. The results of the study might even lead some to jump to the conclusion that if a company is breached, its reputation and viability are doomed.

However, the evidence doesn’t follow this assumption. While many might imagine that a data breach and the ensuing media frenzy would trigger a reaction where customers, and then stakeholders would jump ship, in fact, as journalist Doug Drinkwater on CSO observes, “…on closer inspection, it could be argued that this reputation argument is a falsehood.” A data breach may actually have little or no impact on a company’s long-term reputation.

Drinkwater expertly backs up his opinion with clear examples of share price comparisons. Five large brands – Adobe, Target, eBay, JP Morgan, and Home Depot – demonstrated a share price increase over a 12-month period despite significant data breaches.

Drinkwater does not deny that damage is done to a company after a data breach: “customer loyalty damage is done in the event of a breach, and sales do take a nosedive.” But he simply argues that despite all the company costs related to a data breach, “additional security (pen testers, consultants, security vendors, PRs and lawyers), litigation and fines by data protection authorities,” the larger more entrenched companies “are confident they can ride on past the fines and fees, and keep hold of their customers.”

Finally, Drinkwater asserts that “It’s clear then that breaches do result in damaged trust, to a degree brand reputation, and bottom line. Target and JP Morgan pledged to spend an additional $100 million and $500 million on security post-breach, while Target also had to pay back card issuers, and lost $236 million in breach-related costs ($90 million of which was offset by insurance). The experts believe that this cost – and brand damage – can be significantly reduced if a breach is responded to properly.”

All indications show that Drinkwater’s observations are valid. Why? Larger companies that have been breached have the critical mass to absorb impacts to their reputations. They can ride out the storm, make amends to affected customers, activate policies, processes, and procedures to prevent and/or mitigate similar events in the future, and offer customers some form of identity theft protection for a period after the event.

The larger companies have the infrastructure, assets, and advisors necessary to react appropriately to a breach. They know that preparation and timely action are key. They put systems, policies and processes in place before a crisis to protect the company’s reputation and customer base.

Sadly, smaller companies pay a greater price. Either they are in their start-up phase and do not have the financial capacity to pay experts for advice and mitigating solutions, and/or they have not invested in a proactive public relations campaign as one of the key strategic factors that could help them survive a database breach.

Reputation protection options

Even though bigger companies have the resources to protect their reputations and weather a crisis, smaller companies do stand a better chance of recovering from a data breach with their reputations intact provided they take a number of steps:

Understand the risks

Smaller companies should understand the risks that they face on a daily basis. Many fail to conduct a risk and vulnerability audit to determine where they are at risk from a man-made, natural, or technology-based critical event that could decimate their business and income, or simply put them out of business.

Build a strategic PR campaign

A strong PR campaign built on the company’s business and marketing objectives is essential. Companies with an established brand and a proactive PR campaign with established relationships with key journalists stand a better chance of communicating effectively during a crisis, and the media will be more receptive to the company’s messaging because they are already familiar with the business.

Social media communications are a core component of a sound PR plan, both for communication and for monitoring. When a crisis happens, if strong media and social media monitoring protocols are already in place, the company will be able to efficiently track public and media sentiment and articulate its messaging accordingly.

Invest in a content marketing campaign

Focused, relevant, and consistent customer communications will result in customers being fully engaged with company messaging. Then, when a crisis hits, customer communication infrastructure is already set up, and all that is needed is the necessary honest and spin-free messaging, insight and updates. Engaged customers are more likely to continue being receptive to truthful and regular communications, and to potentially support a business during a crisis.

Without a customer communications strategy and infrastructure, it could take anywhere between a couple of hours or a few days to get the message out because content and a database will need to be created first. This is crisis communication lag time that a company may not have. A slow or poorly thought out response will reveal to the public that the company is reactive, not proactive. In the early days of a crisis, inadequate response can lead to losing the battle of the rumour mill, losing control of messaging, and above all, losing trust. It doesn’t take long for a company to be mortally wounded from a brand trust perspective.

Develop business continuity, incident response and disaster recovery plans

This critical component to staying afloat during hard times is strongly recommended in the Poneman Institute’s 2015 Cost of Data Breach Study for the United States, with benchmark data sponsored by IBM. Key players need to know how to respond to an emergency, what IT assets exist, how they should be used, if an invocation should be ordered, how and when a database should be rebuilt, who will be involved in response and recovery, etc.

Invest in a crisis communications plan

An effective crisis communications plan will work in tandem with the PR campaign and the business continuity plan. While it is impossible to have a crisis plan that encompasses every potential crisis scenario, a company should have a master crisis communications plan that is both easy to implement and flexible enough to incorporate change as events unfold.

The recent wave of hacking is indeed alarming. In the New York Post2, Bill Hardekopf, chief executive of LowCards.com, observes that “… people are getting freaked out by all the data breaches.” He adds, however, that retailers who have experienced breaches are probably more secure, more aware, and working harder today because of their experience.

Companies are rolling with the punches, and learning from their mistakes. They are learning that a relatively small investment in PR consulting ahead of time could pay off significantly in curtailing future losses, or even the loss of the business. As Warren Buffett reminds us, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”

In the current climate, it is no longer a matter of if a data breach will strike, but when. All companies should anticipate being hacked. What they do once the hack has occurred could save time, money, frustration, and their hard-won reputation. The bigger the company, the more resilient they may be when weathering a bad reputation storm. Smaller businesses are at greater risk: they must be ready and able to respond proactively and communicate as openly and rapidly as possible to preserve their customer base.

References

1 http://www.gemalto.com/press/Pages/Global-survey-by-Gemalto-reveals-impact-of-data-breaches-on-customer-loyalty.aspx

2 http://nypost.com/2016/01/16/how-to-fight-off-hackers-from-getting-into-your-wallet/

Based in Syracuse, N.Y., Fortress Strategic Communications provides specialised strategic public relations and crisis communications consulting to companies that offer products, services, and solutions designed to manage and mitigate all types of risk. The company represents African companies expanding to the US. For more information contact info@fortresscomms.com or visit www.fortresscomms.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Data security and privacy in global mobility
Risk Management & Resilience Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Read more...
Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Read more...
Enhance control rooms with surveillance and intelligence
Leaderware Editor's Choice Surveillance Mining (Industry)
Dr Craig Donald advocates the use of intelligence and smart surveillance to assist control rooms in dealing with the challenges of the size and dispersed nature common in all mining environments.

Read more...
A long career in mining security
Technews Publishing Editor's Choice Mining (Industry) Risk Management & Resilience
Nash Lutchman recently retired from a security and law enforcement career, initially as a police officer, and for the past 16 years as a leader of risk and security operations in the mining industry.

Read more...
A constant armed struggle
Technews Publishing XtraVision Editor's Choice Integrated Solutions Mining (Industry) IoT & Automation
SMART Security Solutions asked a few people involved in servicing mines to join us for a virtual round table and give us their insights into mine security today. A podcast of the discussion will be released shortly-stay tuned.

Read more...
Risk management: There's an app for that
Editor's Choice News & Events Risk Management & Resilience
Zulu Consulting has streamlined the corporate risk management process with the launch of Risk-IO, a web-based app designed to consolidate and guide risk managers through the process, monitoring progress as one proceeds.

Read more...
Integrated information platform for risk management
Editor's Choice News & Events Risk Management & Resilience
Online Intelligence recently launched version 7 of its CiiMS risk and security platform. Speaking to SMART Security Solutions after the launch event, the company’s Arnold van den Bout described the enhancements in version 7.

Read more...
Unlocking Africa's AI potential
Editor's Choice News & Events AI & Data Analytics
Africa's AI market is set to grow exponentially; by investing in AI education, training, and ethical practices, African nations can harness the power of AI to transform the continent and create a brighter future for its people.

Read more...
The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Read more...
Global Identity Fraud Report revealing eight-month ‘mega-attack’
Editor's Choice Risk Management & Resilience
AU10TIX recently released its Q4 Global Identity Fraud Report, with the research identifying two never-before-seen attack patterns, with the worst case involving 22 000+ AI-generated variations of a single U.S. passport.

Read more...