The impact of a data breach sends shock waves throughout an entire company. Recent high-profile cybersecurity crises hitting organisations including Equifax, Wonga, Yahoo, TalkTalk and the NHS have highlighted the significant, far reaching consequences a data breach can have on reputation, customer trust, share price and company finances. A Ponemon research study commissioned by Centrify has shown, for example, that consumers are ready to walk away from a company that fails to ensure their privacy.
An astonishing half of all consumers (51 per cent) have been notified by a company or government body that their personal information has been lost or stolen as a result of one or more data breaches in the past two years. This has caused serious damage: 65 per cent of consumers lost trust in that organisation, and one in four has ended their relationship with the company following a security incident.
In addition to tarnishing a company’s reputation, data breaches hit shareholder value. The Ponemon report found that the stock value index of 113 companies declined an average of five per cent the day a breach was disclosed, resulting in millions of pounds of losses. They also experienced up to a seven per cent customer churn.
With GDPR and mandatory breach notifications on the horizon, it has never been more important for a company to take adequate steps to secure its data – particularly if it is involved in a complex and geographically dispersed supply chain. Ponemon’s research reveals that most businesses currently lack the understanding and leadership necessary to do this, however.
The expectations gap
When it comes to safeguarding their personal information and preventing data loss, consumers expect companies to take more responsibility than they’re willing to assume. Almost three quarters of consumers (73 per cent) believe organisations have an obligation to control who has access to their personal information, but less than half (44 per cent) of IT practitioners agree.
Consumers have a distinct lack of faith in companies’ abilities to meet their expectations. Seventy per cent say privacy and security practices are very important to preserving their trust, but only 31 per cent believe organisations are able, at a high level, to protect their personal information.
The C-suite blind spot
With so much at stake, data security has become a bottom-line concern, and should be elevated to the boardroom. Senior executives must take the lead on developing and implementing a comprehensive security strategy that protects the entire business and brand, with a holistic approach that also incorporates the supply chain.
Worryingly, however, 39 per cent of IT practitioners don’t believe senior level executives take brand protection seriously, while 70 per cent do not believe their companies have a high-level ability to prevent breaches.
IT itself also needs to better understand the link between cybersecurity and the wider implications of a breach: 71 per cent of IT practitioners do not believe that brand protection is their responsibility, while only 18 per cent allocate a portion of their IT security budget to brand preservation. Only three per cent of IT pros are concerned about falling share prices following a breach. If this is to change, it needs to be driven from the top.
There are a number of industry best practices a business can follow to protect its image, strengthen its credibility and retain its customer loyalty. Improving cybersecurity is essential for strengthening a company’s resilience to breaches as well as its ability to recover if the worst happens.
Appoint a fully dedicated CISO. It’s the role of the Chief Information Security Officer (CISO) to educate senior executives on the merits of investing in adequate security defences. The ideal candidate will be someone who has an established track record of moving organisations from an immature to a strong security posture, and who can bring real experience to achieving best practice.
Invest in security. A comprehensive security strategy is central to preventing unauthorised access to and disclosure of customer data, and ensuring the confidentiality, integrity, availability and resilience of systems and services. There must be adequate budget allocated to invest in skilled staff and up-to-date security enabling technologies – particularly enterprise-wide encryption.
Invest in other resources. Strategic investments in people, processes and technologies will also protect the organisation if a breach occurs. Companies with a strong security posture are better equipped to respond to a breach event – and the same report found that organisations in this category saw an average share price decline of no more than three per cent, with the stock value recovering after only seven days. In contrast, the stock prices of companies with a poor security posture declined as much as seven per cent, and this lasted on average more than 90 days. They were also more likely to lose customers.
Plan for the worst. Less than a third of IT professionals rate their companies’ ability to prevent or resolve a data breach as high. To improve confidence in this area, an effective data breach preparedness plan is critical. This should include procedures for communicating with investors and regulators.
Build a culture of security awareness. Effective training and awareness programmes will reduce employee negligence by increasing their understanding of the risks and threats posed by cyberattacks, and ensure everyone is working together to protect against potential infiltrators.
Undertake regular security vulnerability audits. Regular assessments will ensure that any security holes in a computer, network, or communications infrastructure are identified. Measures can then be taken to address them and guard against future breaches.
Incorporate policies and assessments for managing third-party risk. An identity and access management (IAM) system is a good starting point to audit and categorise who has access to what data and when, and exercise control over who sees what.
Collaborate across silos. Internal teams must focus on the bigger picture and open up more clear channels of communication across lines of business, working together to determine data security priorities. CMOs and their teams are a vital component in incident response plans, for example.
Participate in threat sharing programmes. Similar organisations can often be targeted by the same threat, so taking part in a threat sharing programme with partners and companies you trust offers a better and often faster way to detect attacks. It also helps you avoid doing work that has already been carried out by someone else.
Data breaches have become commonplace, and are a business problem with serious consequences. The C-suite needs to be actively engaged in defending a company’s reputation and value by addressing how information is used and secured. Without strong leadership, there will continue to be a disconnect between the priorities of organisations and their customers, and a lack of clarity over who is responsible for protecting customer data. The outcome will be lost customers and millions being wiped off share prices, with no hope of a quick recovery.