The long-held view is that breached companies are cast aside by consumers, investors and shareholders. A breach isn’t just a temporary glitch – it’s a mistake, a faux pas, which you can’t just shake off.
This warning that has been used by information security professionals over the course of the last five years and for good reason; nothing gets a CEO or CFO’s attention on security matters more than "this is losing us money".
However, on closer inspection, it could be argued that this reputation argument is a falsehood.
Over the course of the last 18 months, we’ve seen some of the biggest, most widespread, data breaches in the history of the Internet.
Target was compromised via its third-party air conditioning supplier in 2013 (40 million credit card records were stolen); Sony Pictures Entertainment was allegedly hacked by a nation-state, resulting in the release of one unreleased film, the postponement of another, and terabytes of sensitive data posted on Pastebin. Then there’s been Anthem, JP Morgan, OPM, Sears and Talk Talk to name just a few other breaches affecting millions of people.
Breaches are now becoming a daily occurrence, but the companies themselves appear unmoved.
Consumer trust is often damaged
One thing is clear; a data breach is a PR and financial disaster. Companies often spot the intrusion too late, and respond inadequately, resulting in falling (temporary) sales and journalist outrage.
Customers, for one, will often vote with their feet. UK-based fraud prevention company Semafone last year found that the overwhelming majority of people would not do business with a company that had been breached, especially if it had failed to protect its customers’ card data. In the survey, conducted by OnePoll, 86.55 percent of 2,000 respondents stated that they were “not at all likely” or “not very likely” to do business with an organization that had suffered a data breach involving credit or debit card details. The numbers were slightly lower if home and email addresses and telephone numbers had been lost.
“These figures serve to underline what we should already know – that the reputational damage suffered by companies who fail to protect personal data can translate directly into a loss of business,” said Tim Critchley, CEO of Semafone.
Tim Critchley, CEO of Semafone
It’s true to say that customer loyalty damage is done in the event of a breach, and that sales do take a nose-dive. Target’s sales fell by 46 percent year-on-year in the fourth quarter of 2013 to $520 million (or 81 cents a share), while eBay (breached mid 2014) admitted declining user activity impacted its quarterly net revenue.
There are other financial costs to bear, including additional security (pen testers, consultants, security vendors, PRs and lawyers), litigation and fines by data protection authorities.
This said, it could be argued that big, established companies are confident they can ride on past the fines and fees, and keep hold of their customers. UK’s TalkTalk even locked some customers into contracts – albeit with improved packages - on that basis.
To add to this, there is a theory that stocks eventually recover, a view backed up by Sean Mason, director of threat management at Cisco security services, a man who’s previously claimed to have “debunked the myth that breaches materially impact stock price.”
He’s got a point. For example, Home Depot’s data breach, which saw the compromise of 65 million customer credit and debit card accounts, saw breach-related costs come in at around $62 million. The company’s stock price decreased minimally one week after the announcement but in the third quarter of 2014 Home Depot showed a 21 percent increase in earnings per share
Target’s breach, culminating in the loss of over 100 million customer records, saw the retailer’s stock drop 10 percent afterwards. But by February the retailer had experienced its highest percentage stock price regain in five years.
There are other notable examples; Sony Pictures Entertainment saw its stock price keep growing following the announcement of its breach in 2014, while stock prices at JP Morgan Chase were stable following the breach and then rose shortly after. EBay, closing at $51.88 after breach on 21 March, grew to $59.74 exactly a year later.
Amar Singh, former CISO at News International and founder of Give01Day, told CSO Online that this is because breaches have no long-lasting effects: “Let’s be honest, a cyber-attack is not having life impact. CEOs and CFOs are not idiots…but unless [a breach] really affects ‘real’ life, organizations don’t care. Your data is my data – it’s all virtual. A culture change is required, but sadly you still can [ride this out].”
Reputational damage is real
Reputational damage sees a differing of opinion, though. InfoSec folk largely agree that breaches impact on the bottom line, but that – managed and responded to adequately – it can become business as usual (BAU). Stock prices recover, and stake holders are appeased. Data protection authorities can be held off at arm’s length.
But ask them if there’s a longer, more intangible brand damage done and it’s a hard one to call.
Earlier this year, Ponemon Institute’s "The Aftermath of a Mega Data Breach: Consumer Sentiment," revealed that data breaches was up there with poor customer service and environmental disasters for impacting brand reputation.
Elsewhere and the Forbes Insights report, ‘Fallout: The Reputational Impact of IT Risk’, indicated that 46 percent of organizations had suffered damage to their reputations and brand value as a result of a breach. Another 19 percent of organizations suffered reputational and brand damage as a result of a third-party security breach or IT system failure.
Jane Frankland, managing director of consultancy KnewSmart and formerly of Sensepost and NCC, said that such figures highlighted the importance of brand and corporate reputation “and the damage a breach can do if it’s not dealt with properly.”
Ed Wallace, director of advanced threats at MWR InfoSecurity, agreed with the latter point, but suggested that breaches are par for the course for companies.
“Being breached currently, by and large, doesn’t affect your reputation. There are few exceptions of course. But how to manage a breach can affect your reputation and that’s a very different thing.”
Singh took a stronger line: “Sony hasn’t gone bust, they’re still up and running, Target is still around…small companies don’t believe it either and yet more of them go bust than larger companies.”
“The reality is that there is no accepted formulae for measuring ‘brand reputation’,” added Cisco’s Mason. “Brand value is generally accepted as a number of intangible data points that point towards consumer feelings toward the brand and how much of a premium they would consider paying above a competitor -- it really has nothing to do with monetary loss.”
Frankland believes companies are waking up, but this requires good CISO-CEO communication.
“Organizations must protect their corporate reputation as an increasing importance is being placed on business ethics and governance. Furthermore, consumers, investors, partners, employees and shareholders are holding organizations accountable for their actions. Corporate reputation matters.
“A favorable corporate reputation is a valuable, yet intangible asset. It plays a vital role in attracting the best talent, suppliers and investment.” The best talent will take jobs, suppliers will reduce contractual risks by working with partners they trust, and financial analysts include reputation metrics as part of investment criteria.
The experts were in agreement that this must be made known to the CEO, with Frankland in particular stressing the responsibilities are on the CISO’s shoulders.
“What C-levels want from a CISO is a risk metric and a value in terms of cost. They want to understand exactly what their liability will be if such an event were to take place. CISOs need to be able to give C-level execs a definitive answer on this, yet often it’s hard as asset registers are missing, digital footprints are unknown, risk models are complex and claim forms are dubious.
“It’s also not just a case of response and reputational damage costs or legal and contractual fines. In some cases, it’s all of those plus more and an organization may be brought to its knees. In others, it might not be as bad as the organization thinks.”
Minimize damage with proactive response
It’s clear then that breaches do result in damaged trust, to a degree brand reputation, and bottom line. Target and JP Morgan pledged to spend additional $100 million and $500 million on security post-breach, while Target also had to pay back card issuers, and lost $236 million in breach-related costs ($90 million of which was offset by insurance).
The experts believe that this cost – and brand damage – can be significantly reduced if a breach is responded to properly.
“An organization can minimize the impact by taking appropriate action,” said Frankland. “For example, an organization can ensure that it has an incident response plan; a crisis management plan, full media training for any spokespeople, and that a war games exercise is performed to test resilience.”
Mason added: “Before a breach happens, you should have your people and processes nailed down. If and when a breach does happen, ensure you’re communicating as required, as quickly and truthfully as possible.”
Wallace says response is vital, especially with new laws like EU’s GDPR pushing companies to report breaches – or face fines. Other experts, including lawyers, call for internal communications to be joined between management, PR and regulatory and litigation experts when dealing with breaches.