The reputational damage of data breaches: don’t hope for customer apathy
Damien Manuel
Do customers still care about data breaches these days? Has ‘breach fatigue’ turned outrage into apathy? Will a data breach really damage your brand and bring down your business?
In recent weeks, two Australian retail giants have each informed their online customers that their names, email addresses, order information and delivery addresses had been stolen in hacking attacks.
The retailers made it clear that no credit card or other financial data of their customers had been exposed – but that makes the breach no less concerning. With home addresses and purchase history it would be easy for criminals to target the homes of people who had just bought a new TV, jewellery or even luggage which suggests an empty home is imminent. And what about those discreet and potentially embarrassing purchases - the ones people typically make only online to avoid eye contact with sales staff?
Have customers accepted data breaches as an inevitable fact of life in a digital world? Are they aware of the personal impacts? Or is it only those of us in the information security industry, privacy advocates and those “in the know” who are paranoid about data loss?
Don’t hope for apathy - there is a significant cost to companies that suffer a security breach. In Australia, the average total cost of a data breach rose to $2.82 million this year according to the Ponemon Institute’s 2015 Cost of Data Breach Study. The study found certain sectors (especially financial service companies) experienced high customer churn following a data breach.
Credit ratings agency Standard and Poor’s said in a recent report that banks and lenders could see their credit rating cut if they failed to protect themselves from cyber-attacks or suffered a severe breach. “We view weak cybersecurity as an emerging threat that has the potential to pose a higher risk to financial firms in the future, and possibly result in downgrades” the firm said.
For business-to-business enterprises, reputational damage is serious. It could mean breach of contracts, lost work, loss of intellectual property and a blacklisting in a sector or vertical.
It’s little wonder that the majority of Australian CEOs, CIOs, CSOs and IT managers cited “reputational loss” in a Telstra survey as the most serious and impactful result of a security incident on their organisation.
The public’s concern over a data breach is likely to increase further still when they find they are being targeted by criminals or more personal information has been exposed. It is easy to cancel a credit card. It is less easy to hide the fact that your name and details were found on the database of an extra-marital affair website.
Extortionists are using data hacked from the Ashley Madison website to track down Kiwis and Australians and demanding thousands of dollars in Bitcoin payments not to inform their partners and families.
As the huge amount of exposed data is analysed and matched with online profiles, there is little to stop criminals from identifying when individuals are going on holiday and sell that information to thieves. People can very easily become victims of identity fraud once their data is lost.
When a data breach has more significant knock-on effects for individuals, it will in turn have a more severe impact on a company’s reputation.
Although a data breach can feel inevitable, there are steps companies should take to protect their customers and themselves.
- Knowing what data is important within the organisation, where it is, who is accessing it and how it is being used.
- Having a plan to deal with a breach, including notifying those affected promptly and directly, can work to lessen the reputational damage caused, but only if you know what has been lost or exposed.
- Clear communications, planning and incident response are essential to surviving the first days of a data breach.
- Create a culture that attracts great people (a culture of continual improvement without blame when things go wrong).
- Analyse existing business processes and look for areas to streamline, simplify and improve. Don’t forget to understand process-handover points between internal departments and third parties.
- Integrated technologies will be key in the long term to automate processes, reduce the burden of monitoring and investigation on security teams, and improve the effectiveness of existing controls.
- Most importantly: think like a cyber-criminal. What data do you have that is of use to them? How can that data be monetised or exploited? When is the most vulnerable time for your organisation (for example IPO, M&A, holiday trading times or prior to the launch of a new product)? Those are the times businesses have the least resilience to a data breach.
As an industry, we need more research and data to fully understand the impacts of a data breach to businesses and consumers. Recent major breaches have resulted in the removal of a number of top executives, a loss of focus on core business during the remediation and a short-lived bottom line impact.
While some large businesses can be return to “business as usual” within months, for others like the Ashley Madison website, the repercussions are dire.
Reputational damage of a data breach is complex to measure and is dependent on the type of business service offered, the customer base segmentation, the competitive landscape, any goodwill that might already be established towards the brand, timing and the type of data exposed. A breach will either result in a short-lived impact or total loss of business. What’s certain is the impact on the personal branding of top executives like CIOs, CISOs and IT managers, whose careers could literally end overnight.
Damien Manuel, Chief Information
Security Officer (CISO) for Blue Coat Australia & New Zealand