It’s not just fines that can hurt in the wake of a data breach – your reputation can take a hit, too
by: Jane McCallion
There’s a lot to be said for reputation. Like trust, it’s hard to build but once you’ve gained it, it will see you through some tougher times. Jaguar, for example, lost some of its lustre as a luxury brand when it found itself in Ford’s hands, but its reputation saw it through the tough times to its return to status as part of Jaguar Land Rover.
Similarly, Apple went from playing second fiddle to Microsoft and near bankruptcy through to the powerhouse it is today.
Sometimes, however, the damage is irreparable. Most people would surely think twice before taking a transatlantic cruise on a ship called the Titanic, for example, or boarding a hydrogen-floated zeppelin.
With the advent of GDPR in Europe, and similar legislation emerging elsewhere across the globe, a great deal of emphasis has been placed on the monetary cost of a data breach, whether that's through fines or compensation. But there’s also the question of reputational damage, which can prove costly in other ways.
In the media glareIn the immediate wake of a data breach, there’s a lot to take in. What was lost? Was it an attack or an accident? Has the breach been closed?
If you’re a household name, such as TalkTalk, Equifax or Yahoo – or involved in something salacious like Ashley Madison – you will likely find yourself in the unenviable position of doing these initial investigations in the full glare of the media spotlight.
For such businesses, especially nowadays, the reputational impact will be immediate. Depending on the size of the data breach and how it happened, big businesses are likely to find themselves on the front pages of the papers and in the broadcast headlines too. In this kind of situation, the axiom that “all publicity is good publicity” falls very flat.
Even if your own organisation’s data breach doesn’t warrant a spot on the evening news, that doesn’t mean you will have escaped public condemnation: Disgruntled customers – or now former customers – will be disavowing you on social media for having shown little care for their personal information, potentially for years to come.
It’s not just the act of losing control over customers’ personal data that can harm a business’ reputation, either. Speaking as a guest on the IT Pro Podcast, Dr Rois Ni Thuama, head of cyber governance at Red Sift, pointed to the fallout of the 2014 Sony Pictures hack as one example.
“You had large dumps of Sony data … you’ll remember there was a lot of stuff on actor compensation, there [were] embarrassing email exchanges. One of the key players (co-chairperson, Amy Pascal) sent something that was racially insensitive,” said Ni Thuama.
“People lost their jobs… their careers and their professional lives were damaged, particularly the woman (Pascal) who sent the charged emails, and then there was definitely a loss of reputation over the actors’ compensation,” she added.
The importance of accountability Away from the data breach itself, how the organisation acts once the incident can have a major impact on the depth and permanence of the damage an organisation faces.
Gabriel Friedlander, the founder of security awareness training firm Wizer, tells IT Pro: “Yahoo, Uber and Anthem are three data breaches that stand out in the US because of the lack of accountability, lack of transparency, and length of time between a breach happening and the truth coming out.”
“Companies also invest a lot in ‘values’, so when companies lie or try to hide a breach, it ruins the trust and goodwill that has been built up over years with many of their customers, some of whom will quickly look to the competition for a more safe and secure alternative,” he adds.
Simon Smith, a specialist in cybercrime and computer forensics, feels similarly.
“Trust is the driver for any business success. If trust is lost then some businesses may never recover,” Smith tells IT Pro.
“It can depend a lot on the nature of the breach and how the company reaches and remedies the breach. Dishonesty or non-disclosure can cause a great loss of trust that could easily destroy any business after only one incident. Customers, the authorities and society will be concerned about a company's security and ability to protect data if systems are not in place to handle and mitigate the problem.”
Small business, big problems Sadly, when it comes to reputational damage, SMBs often fare worse than larger ones.
“We see a 60% failure rate among the SMB market after a company discloses a breach within 6-12 months,” says Friedlander. “This partly due to confidence issues, partly due to recovery challenges, etc.
“The SMB market is crowded. Think about a restaurant, if it gets breached people have many options for going to eat somewhere else, and if your accountant got breached, you will probably leave and find someone else.”
Bigger businesses, on the other hand, may be harder to move away from. It’s also likely they have greater resources to put towards crisis management, as well as to pay any regulatory fines and settle lawsuits.
Smith adds that SMBs can suffer worse damage to their reputation as they may not realise their responsibilities or act appropriately.
“Small businesses make up the majority of all business, but as many are not publicly listed, they feel they do not have to disclose every event. This in itself causes a major problem as it is now considered a regulatory issue across the world where businesses of all sizes can be fined for breaching the obligation to secure personal records,” he says.
“Any size business is equally at risk because somewhere along the way, they got the attitude that ‘it can’t happen to us’, or, ‘it can’t happen to us again’. Without proper process, project, policy and infrastructure governance in place to protect their systems, it is always going to be a ticking time bomb,” he adds.
If you survive the initial damage, the lasting impact may not be quite as catastrophic as one would imagine, though – as they say, time heals all wounds.
“Long term, there is an argument that there’s little consequence as humans have short memories,” says Friedlander. “There’s a plethora of breaches and companies get lost in the mix.”
Nevertheless, while there are methods to mitigate reputational damage in the wake of a data breach – including the passage of time – it pays to put as much effort into preventing one happening in the first place. Not only do you reduce the risk of harm, but if a breach does happen the reaction will likely be more sympathetic if it can be shown it happened despite you having ample defences and procedures in place.
Read more from IT PRO