The long-held view is that breached companies are cast aside by consumers, investors and shareholders. A breach isn’t just a temporary glitch – it’s a mistake, a faux pas, which you can’t just shake off.
This warning that has been used by information security professionals over the course of the last five years and for good reason; nothing gets a CEO or CFO’s attention on security matters more than "this is losing us money".
However, on closer inspection, it could be argued that this reputation argument is a falsehood.
Over the course of the last 18 months, we’ve seen some of the biggest, most widespread, data breaches in the history of the Internet.
Targetwas compromised via its third-party air conditioning supplier in 2013 (40 million credit card records were stolen);索尼影视娱乐was allegedly hacked by a nation-state, resulting in the release of one unreleased film, the postponement of another, and terabytes of sensitive data posted on Pastebin. Then there’s been Anthem, JP Morgan, OPM, Sears and Talk Talk to name just a few other breaches affecting millions of people.
Breaches are now becoming a daily occurrence, but the companies themselves appear unmoved.
Consumer trust is often damaged
One thing is clear; a data breach is a PR and financial disaster. Companies often spot the intrusion too late, and respond inadequately, resulting in falling (temporary) sales and journalist outrage.
Customers, for one, will often vote with their feet. UK-based fraud prevention company Semafone last year found that the overwhelming majority of people would not do business with a company that had been breached, especially if it had failed to protect its customers’ card data. In the survey, conducted by OnePoll, 86.55 percent of 2,000 respondents stated that they were “not at all likely” or “not very likely” to do business with an organization that had suffered a data breach involving credit or debit card details. The numbers were slightly lower if home and email addresses and telephone numbers had been lost.
“这些数字有助于强调我们应该已经知道 - 通过谁不能保护个人数据的公司遭受的声誉损失可以直接转化为企业的亏损,” Semafone的CEO蒂姆·克里奇利说。
Tim Critchley, CEO of Semafone
这是肯定地说,客户忠诚度的损害是在违反的情况下完成的,而且做销售采取了低谷。Target的销售额下降了46%,去年同期在2013年第四季度的520亿$(或每股81美分),而eBay(违反中旬2014)拒绝承认用户活动影响了它的季度净营收。
There are other financial costs to bear, including additional security (pen testers, consultants, security vendors, PRs and lawyers), litigation and fines by data protection authorities.
This said, it could be argued that big, established companies are confident they can ride on past the fines and fees, and keep hold of their customers. UK’s TalkTalk even locked some customers into contracts – albeit with improved packages - on that basis.
To add to this, there is a theory that stocks eventually recover, a view backed up by Sean Mason, director of threat management at Cisco security services, a man who’s previously claimed to have “debunked the myth that breaches materially impact stock price.”
He’s got a point. For example, Home Depot’s data breach, which saw the compromise of65 millioncustomer credit and debit card accounts, saw breach-related costs come in at around$62 million. The company’s stock price decreased minimally one week after the announcement but in the third quarter of 2014 Home Depot showed a21 percent increase in earnings per share
Target’s breach, culminating in the loss of over 100 million customer records, saw the retailer’s stock drop 10 percent afterwards. But by February the retailer had experienced its highest percentage stock price regain in five years.
There are other notable examples; Sony Pictures Entertainment saw its stock price keep growing following the announcement of its breach in 2014, while stock prices at JP Morgan Chase were stable following the breach and then rose shortly after. EBay, closing at $51.88 after breach on 21 March, grew to $59.74 exactly a year later.
Amar Singh, former CISO at News International and founder of Give01Day, toldCSOOnline这是因为违反没有持久的影响:“说实话,网络攻击是没有生活的影响。CEO和CFO都不是傻瓜......不过,除非[违反]真正影响“真实”的生活,组织不在乎。您的数据是我的数据 - 这一切都虚拟化。文化变革是必需的,但可悲的是你仍然可以[骑了这一点。”
Reputational damage is real
Reputational damage sees a differing of opinion, though. InfoSec folk largely agree that breaches impact on the bottom line, but that – managed and responded to adequately – it can become business as usual (BAU). Stock prices recover, and stake holders are appeased. Data protection authorities can be held off at arm’s length.
但是问他们是否有时间,更多的无形brand damage done and it’s a hard one to call.
Earlier this year, Ponemon Institute’s "The Aftermath of a Mega Data Breach: Consumer Sentiment," revealed that data breaches was up there with poor customer service and environmental disasters for impacting brand reputation.
Elsewhere and the Forbes Insights report, ‘Fallout: The Reputational Impact of IT Risk’, indicated that 46 percent of organizations had suffered damage to their reputations and brand value as a result of a breach. Another 19 percent of organizations suffered reputational and brand damage as a result of a third-party security breach or IT system failure.
简弗兰克兰,咨询KnewSmart和以前SensePost的和NCC的总经理,他说,这些数字突出了品牌和企业声誉的重要性“如果它不妥善处理,违反能做的损害。”
Ed Wallace, director of advanced threats at MWR InfoSecurity, agreed with the latter point, but suggested that breaches are par for the course for companies.
“Being breached currently, by and large, doesn’t affect your reputation. There are few exceptions of course. But how to manage a breach can affect your reputation and that’s a very different thing.”
Singh took a stronger line:“索尼还没有破产了,他们还在正常运行,目标仍然是围绕...小公司不相信,要么,但更多的人会破产不是大公司。”
“The reality is that there is no accepted formulae for measuring ‘brand reputation’,” added Cisco’s Mason. “Brand value is generally accepted as a number of intangible data points that point towards consumer feelings toward the brand and how much of a premium they would consider paying above a competitor -- it really has nothing to do with monetary loss.”
Frankland believes companies are waking up, but this requiresgood CISO-CEO communication.
“Organizations must protect their corporate reputation as an increasing importance is being placed on business ethics and governance. Furthermore, consumers, investors, partners, employees and shareholders are holding organizations accountable for their actions. Corporate reputation matters.
“A favorable corporate reputation is a valuable, yet intangible asset. It plays a vital role in attracting the best talent, suppliers and investment.” The best talent will take jobs, suppliers will reduce contractual risks by working with partners they trust, and financial analysts include reputation metrics as part of investment criteria.
The experts were in agreement that this must be made known to the CEO, with Frankland in particular stressing the responsibilities are on the CISO’s shoulders.
“What C-levels want from a CISO is a risk metric and a value in terms of cost. They want to understand exactly what their liability will be if such an event were to take place. CISOs need to be able to give C-level execs a definitive answer on this, yet often it’s hard as asset registers are missing, digital footprints are unknown, risk models are complex and claim forms are dubious.
“It’s also not just a case of response and reputational damage costs or legal and contractual fines. In some cases, it’s all of those plus more and an organization may be brought to its knees. In others, it might not be as bad as the organization thinks.”
Minimize damage with proactive response
It’s clear then that breaches do result in damaged trust, to a degree brand reputation, and bottom line. Target and JP Morgan pledged to spend additional $100 million and $500 million on security post-breach, while Target also had to pay back card issuers, and lost $236 million in breach-related costs ($90 million of which was offset by insurance).
The experts believe that this cost – and brand damage – can be significantly reduced if a breach is responded to properly.
“一个组织可以最大限度地减少采取适当行动的影响,”弗兰克兰说。“例如,一个组织可以确保它有一个事件响应计划;危机管理计划,全媒体的任何发言人培训,一个战争游戏演习进行测试应变能力。”
Mason added: “Before a breach happens, you should have your people and processes nailed down. If and when a breach does happen, ensure you’re communicating as required, as quickly and truthfully as possible.”
Wallace says response is vital, especially with new laws like欧盟GDPRpushing companies to report breaches – or face fines. Other experts, including lawyers, call for internal communications to be joined between management, PR and regulatory and litigation experts when dealing with breaches.
This story, "Does a data breach really affect your firm’s reputation?" was originally published byCSO .