In the last two or three years, cyber security breaches have reached epic proportions. We are talking biblical levels of data exposure, financial losses, and other forms of damage. According to the Breach Level Index, almost 4 billion data records have been unlawfully exposed since 2013. The Ponemon Institute’s, annual study into the impact of cybercrime on business, saw average losses of around $7.7 million per organization.
In 2014/2015 there was a wave of cyber security breaches; each seemed bigger than the last. The Anthem breach, for example, resulted in the exposure of almost 80 million patient records containing sensitive data. Then there was the Office of Personal Management (OPM) with around 22 million employee records breached. I could describe dozens more. Each of these become major news stories and contributed to an increasing mistrust of data custodians.
Figures like this are shocking, but can sometimes numb us to the actual, real-world impact of this type of exposure. When a security alarm is triggered, it is more than money that takes a hit; it is the fundamental trust between an organization and their customer base that suffers.
It’s a Stick Up: Your Reputation or Your Money?
Most U.S. states have data notification laws and other countries have similar types of disclosure expectations, for example the EU Privacy Directive. If data under your control is exposed, you have to declare it. This means that a breached organization has to alert their customers to the fact their data has been stolen and are likely up for sale on the dark web. Once the cat is out of the bag, a company’s reputation for protecting customers becomes newsworthy and the social media and news outlet frenzy begins. This then begins the cycle of reputational damage. A damaged reputation results in losses across the organization, from customer engagement and loyalty, to share price drops.
The problem is that security breaches cause fundamental loss of reputation and trust. In a global survey by Deloitte, Reputation@Risk, which looked at the areas within an enterprise that can negatively impact reputation, they found that cybersecurity was one of the top three drivers of risk to reputation; The Americas having the highest level of concern in this area. But, the buck doesn’t stop at your own corporate door. Deloitte also found that enterprises are being increasingly held accountable for the security problem originating with third-party relationships like the supply chain. This leaves an enterprise with a problem. How can you handle security breaches to minimize the impact on reputation and decrease financial loses. The answer lies in building trust across an extended network of stakeholders – the eco-system.
Using Trust as a Central Part of a Cybersecurity Strategy Plan
Trust, is something we all strive for in our personal lives and at work. Trust touches our business relationships across a multitude of divides and stakeholders. Building a trust eco-system is a fundamental part of a cybersecurity strategy. As part of this, developing a reputational risk process can make sure that in a crisis your brand comes out on top.
Go to Dr. James Hall to view other articles written by Dr. James Hall involving Social Media Marketing for Security and building Trust
Crises happen when a major event like a cyber security breach occurs and people panic. In the past, this was more containable. Today, social media platforms have given the world a voice, and this voice is loud and vociferous. When a cybersecurity incident happens, it can quickly get out of control and be played out, for the world to see, across social platforms. In Peter Anthonissen’s book, ‘Crisis Communication: Practical PR Strategies for Reputation Management and Company Survival’ he talks about how our reputation is linked to how we handle these crises, implying that “Effective, fast communication can even strengthen a company’s reputation”. If it is possible, to take a destructive situation and turn it around to your advantage, then you should. Creating stronger relationships with your customers should be part of your underlying strategic position on handling reputational damage caused by cyber security breaches. Being prepared and pro-active are the keys to communication.
Building the Trust Eco-System – We’re all in This Together
When a cybersecurity breach occurs, it can be devastating. Systems go down, the IT department is out of reach – too busy fixing the damage, C-Level executives are trying to manage investor fear. The worst thing you can do in this situation is to be unprepared to handle the onslaught of media fervor in getting to the heart of the story. Then there are your customers’, worried about their financial details or identity data being out on the web in a free for all. You need a plan. Let’s just assume you will experience a data breach, perhaps a devastating breach. This is not such a far-fetched expectation, as a recent UK government survey found that 70% of all firms have suffered a cybersecurity breach. There are plenty of examples of how other organizations have handled cyber-breaches in recent years. We can use these to learn how, or how not, to limit reputational damage, post-exposure, by looking at how others do, or don’t, succeed in this area.
A recent case study shows the importance of transparency of communication. The UK telecoms firm, TalkTalk suffered a cyber breach in October 2015, which resulted in around 4% of TalkTalk’s user-base of 4 million customers having personal data stolen. The interesting thing about this breach was how it was managed. The first mistake was to alienate the security community. TalkTalk told the police within hours of the incident but delayed informing the UK data protection watchdog, which may have been able to help handle the ensuing press onslaught. The breach hit the news with many unknowns. The numbers were unknown and as a result anyone with a TalkTalk account felt affected, even if they weren’t. This resulted in customer panic with over 180,000 tweets being sent out to TalkTalk over 2 days. The result was that TalkTalk lost over 100,000 customers post-breach, with financial losses estimated at around $70 million.
TalkTalk was heavily criticized for their handling of the breach. They could have improved their position if they had been more transparent and open with their customer base about the attack. They could also have improved their customer reaction, post-breach, by having a more open relationship about the likelihood of a breach occurring. Working with their customers to improve their own individual security awareness, and sharing TalkTalk’s corporate responsibility towards data would have softened the blow.
Building a robust trust platform, to handle pre and post-breach occurrences is a matter of pragmatic transparency and communication. It starts with education on data practices, having a very strong corporate approach to data ownership and data protection methods. Communicating this to all stakeholders in the extended eco-system, shows you have thought through the implications of a breach and how its effects can be minimized if it happens. The World Economic Forum in their report, ‘Rethinking Personal Data: Strengthening Trust’, describe three main factors in developing a trusted community that can cope with data breaches:
- Protection and security
- Rights and responsibilities for using data
- Accountability and enforcement
Being able to address these three fundamental areas will allow you to establish the transparency and communication necessary for a trusted relationship. Addressing these issues gives us a set of guidelines to use when creating both pre and post-breach campaigns. We can better answer and manage Twitter storms and press questions because we will be prepared with answers, and have built up a relationship around this area with our customers.
Trust in Each Other
The business-customer relationship should be a mutually beneficial one, which can only be achieved through trust and respect of each other. Instead of the cybercriminals pitting our customers against our organization, we should work together against the cybercriminal – they are the common enemy, they are affecting our business and our personal data. We need to work together, to focus our anger and resources against cybercrime, not against each other. By building a platform of transparency between the customer and the company we can encourage trust and a positive approach; to handle the cybersecurity onslaught we need to work together to mitigate breaches.
Pre and post-breach campaigns can help us all to understand how to better protect each other from the impact of cybercrime through education and sharing. Campaigns focusing on positive outcomes, learning from mistakes, and ensuring both parties take on board advice on applying security tactics, will develop an environment of mutual help and respect. Cybercrime will not be slowing down anytime soon. And with even greater Internet connectivity across highly distributed infrastructures such as the Internet of Things, we can only expect cybercrime to increase. We need to work together, build these trusted networks of companies and individuals to tackle this threat head on and work together as a trusted unit.