When, not if

March 2016 Editor's Choice, Information Security, Security Services & Risk Management

What is one of the top worries of C-suite executives these days? Whether or not their company can survive a database breach.

Evan Bloom, CEO at Fortress Strategic Communications.
Evan Bloom, CEO at Fortress Strategic Communications.

And for good reason. A recent global survey conducted by Gemalto1 found that “nearly two-thirds (64%) of consumers surveyed worldwide say they are unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen, and almost half (49%) had the same opinion when it came to data breaches where personal information was stolen.”

The survey covered Australia, Brazil, France, Germany, Japan, the UK and the US, factoring in the opinions of 5750 consumers. Highlights describe the extent of the issue:

• 31% of respondents have already been affected by a data breach in the past.

• Only 25% of all respondents feel that companies take the protection and security of customer data very seriously.

• More than twice as many respondents feel that the responsibility of protecting and securing customer data falls on the company (69%) as opposed to the customer (31%).

• 23% of respondents who have been a victim of a data breach either have considered or would consider taking legal action against the breached company involved in exposing their personal information.

These findings indicate that consumers could potentially turn their backs on companies that do not protect their customer base, and may even take legal action. The results of the study might even lead some to jump to the conclusion that if a company is breached, its reputation and viability are doomed.

However, the evidence doesn’t follow this assumption. While many might imagine that a data breach and the ensuing media frenzy would trigger a reaction where customers, and then stakeholders would jump ship, in fact, as journalist Doug Drinkwater on CSO observes, “…on closer inspection, it could be argued that this reputation argument is a falsehood.” A data breach may actually have little or no impact on a company’s long-term reputation.

Drinkwater expertly backs up his opinion with clear examples of share price comparisons. Five large brands – Adobe, Target, eBay, JP Morgan, and Home Depot – demonstrated a share price increase over a 12-month period despite significant data breaches.

Drinkwater does not deny that damage is done to a company after a data breach: “customer loyalty damage is done in the event of a breach, and sales do take a nosedive.” But he simply argues that despite all the company costs related to a data breach, “additional security (pen testers, consultants, security vendors, PRs and lawyers), litigation and fines by data protection authorities,” the larger more entrenched companies “are confident they can ride on past the fines and fees, and keep hold of their customers.”

Finally, Drinkwater asserts that “It’s clear then that breaches do result in damaged trust, to a degree brand reputation, and bottom line. Target and JP Morgan pledged to spend an additional $100 million and $500 million on security post-breach, while Target also had to pay back card issuers, and lost $236 million in breach-related costs ($90 million of which was offset by insurance). The experts believe that this cost – and brand damage – can be significantly reduced if a breach is responded to properly.”

All indications show that Drinkwater’s observations are valid. Why? Larger companies that have been breached have the critical mass to absorb impacts to their reputations. They can ride out the storm, make amends to affected customers, activate policies, processes, and procedures to prevent and/or mitigate similar events in the future, and offer customers some form of identity theft protection for a period after the event.

The larger companies have the infrastructure, assets, and advisors necessary to react appropriately to a breach. They know that preparation and timely action are key. They put systems, policies and processes in place before a crisis to protect the company’s reputation and customer base.

Sadly, smaller companies pay a greater price. Either they are in their start-up phase and do not have the financial capacity to pay experts for advice and mitigating solutions, and/or they have not invested in a proactive public relations campaign as one of the key strategic factors that could help them survive a database breach.

Reputation protection options

Even though bigger companies have the resources to protect their reputations and weather a crisis, smaller companies do stand a better chance of recovering from a data breach with their reputations intact provided they take a number of steps:

Understand the risks

Smaller companies should understand the risks that they face on a daily basis. Many fail to conduct a risk and vulnerability audit to determine where they are at risk from a man-made, natural, or technology-based critical event that could decimate their business and income, or simply put them out of business.

Build a strategic PR campaign

A strong PR campaign built on the company’s business and marketing objectives is essential. Companies with an established brand and a proactive PR campaign with established relationships with key journalists stand a better chance of communicating effectively during a crisis, and the media will be more receptive to the company’s messaging because they are already familiar with the business.

Social media communications are a core component of a sound PR plan, both for communication and for monitoring. When a crisis happens, if strong media and social media monitoring protocols are already in place, the company will be able to efficiently track public and media sentiment and articulate its messaging accordingly.

Invest in a content marketing campaign

Focused, relevant, and consistent customer communications will result in customers being fully engaged with company messaging. Then, when a crisis hits, customer communication infrastructure is already set up, and all that is needed is the necessary honest and spin-free messaging, insight and updates. Engaged customers are more likely to continue being receptive to truthful and regular communications, and to potentially support a business during a crisis.

Without a customer communications strategy and infrastructure, it could take anywhere between a couple of hours or a few days to get the message out because content and a database will need to be created first. This is crisis communication lag time that a company may not have. A slow or poorly thought out response will reveal to the public that the company is reactive, not proactive. In the early days of a crisis, inadequate response can lead to losing the battle of the rumour mill, losing control of messaging, and above all, losing trust. It doesn’t take long for a company to be mortally wounded from a brand trust perspective.

Develop business continuity, incident response and disaster recovery plans

This critical component to staying afloat during hard times is strongly recommended in the Poneman Institute’s 2015 Cost of Data Breach Study for the United States, with benchmark data sponsored by IBM. Key players need to know how to respond to an emergency, what IT assets exist, how they should be used, if an invocation should be ordered, how and when a database should be rebuilt, who will be involved in response and recovery, etc.

Invest in a crisis communications plan

An effective crisis communications plan will work in tandem with the PR campaign and the business continuity plan. While it is impossible to have a crisis plan that encompasses every potential crisis scenario, a company should have a master crisis communications plan that is both easy to implement and flexible enough to incorporate change as events unfold.

The recent wave of hacking is indeed alarming. In the New York Post2, Bill Hardekopf, chief executive of LowCards.com, observes that “… people are getting freaked out by all the data breaches.” He adds, however, that retailers who have experienced breaches are probably more secure, more aware, and working harder today because of their experience.

Companies are rolling with the punches, and learning from their mistakes. They are learning that a relatively small investment in PR consulting ahead of time could pay off significantly in curtailing future losses, or even the loss of the business. As Warren Buffett reminds us, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”

In the current climate, it is no longer a matter of if a data breach will strike, but when. All companies should anticipate being hacked. What they do once the hack has occurred could save time, money, frustration, and their hard-won reputation. The bigger the company, the more resilient they may be when weathering a bad reputation storm. Smaller businesses are at greater risk: they must be ready and able to respond proactively and communicate as openly and rapidly as possible to preserve their customer base.

References

1 http://www.gemalto.com/press/Pages/Global-survey-by-Gemalto-reveals-impact-of-data-breaches-on-customer-loyalty.aspx

2 http://nypost.com/2016/01/16/how-to-fight-off-hackers-from-getting-into-your-wallet/

Based in Syracuse, N.Y., Fortress Strategic Communications provides specialised strategic public relations and crisis communications consulting to companies that offer products, services, and solutions designed to manage and mitigate all types of risk. The company represents African companies expanding to the US. For more information contact [email protected] or visit www.fortresscomms.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Your Wi-Fi router is about to start watching you
News & Events Surveillance Security Services & Risk Management
Advanced algorithms are able to analyse your Wi-Fi signals and create a representation of your movements, turning your home's Wi-Fi into a motion detection and personal identification system.

Read more...
South African fire standards in a nutshell
Fire & Safety Editor's Choice Training & Education
The importance of compliant fire detection systems and proper fire protection cannot be overstated, especially for businesses. Statistics reveal that 44% of businesses fail to reopen after a fire.

Read more...
The growing role of hybrid backup
Infrastructure Information Security
As Africa’s digital economy rapidly grows, businesses across the continent are facing the challenge of securing data in an environment characterised by evolving cyberthreats, unreliable connectivity and diverse regulatory frameworks.

Read more...
Choicejacking bypasses smartphone charging security
News & Events Information Security
Choicejacking is a new cyberthreat that bypasses smartphone charging security defences to confirm, without the victim’s input or consent, that the victim wishes to connect in data-transfer mode.

Read more...
Most wanted malware
News & Events Information Security
Check Point Software Technologies unveiled its Global Threat Index for June 2025, highlighting a surge in new and evolving threats. Eight African countries are among the most targeted as malware leaders AsyncRAT and FakeUpdates expand.

Read more...
LidarVision for substation security
Fire & Safety Government and Parastatal (Industry) Editor's Choice
EG.D supplies electricity to 2,7 million people in the southern regions of the Czech Republic, on the borders of Austria and Germany. The company operates and maintains infrastructure, including power lines and high-voltage transformer substations.

Read more...
Standards for fire detection
Fire & Safety Associations Editor's Choice
In previous articles in the series on fire standards, Nick Collins discussed SANS 10400-T and SANS 10139. In this editorial, he continues with SANS 322 – Fire Detection and Alarm Systems for Hospitals.

Read more...
Wildfires: a growing global threat
Editor's Choice Fire & Safety
Regulatory challenges and litigation related to wildfire liabilities are on the rise, necessitating robust risk management strategies and well-documented wildfire management plans. Technological innovations are enhancing detection and suppression capabilities.

Read more...
SMARTpod talks to Sophos and Phishield
SMART Security Solutions Technews Publishing Sophos Videos Information Security News & Events
SMARTpod recently spoke with Pieter Nel, Sales Director for SADC at Sophos, and Sarel Lamprecht, MD at Phishield, about ransomware and their new cyber insurance partnership.

Read more...
Corporate and academic teams can register for Kaspersky contest
Kaspersky News & Events Information Security
Kaspersky has announced the registration opening for its new Kaspersky{CTF} (Capture the Flag) competition, inviting academic and corporate teams from around the globe to compete in a battle of skill, strategy and innovation.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.