Mandy Pattenden – Marketing Communications Manager
It was American business magnate Warren Buffet who said “It takes 20 years to build a reputation and five minutes to ruin it”. In these days of increasing data breaches, companies worldwide would be wise to consider his words carefully.
The average cost of a data breach to a company in 2015 was estimated at £2.37 million, with this figure encompassing everything from breach mitigation and lawsuit pay-outs to falling share prices and, most importantly, damage to brand reputation. In fact, a recent survey by the British Retail Consortium revealed that three-quarters of retailers said a negative brand reputation was a ‘high’ or ‘very high’ threat to business.
Take two well-publicised cases – US retailers Target and Home Depot. These breaches drew a lot of attention to the threat of cyber-attacks and the importance of stringent IT security, as:
- Both received extensive media coverage and analysis
- They happened within a relatively short timeframe of one another
- They both involved point-of-sale (PoS) systems inside ‘brick and mortar’ stores
Yet they differ in one key characteristic: there is a stark contrast between the way in which each company responded. Home Depot’s quick and efficient action by the audit committee, management team and CIO meant that the breach did not cause nearly as much damage to customer sentiment and subsequent sales figures. Target’s response was far less successful, seeing the company lose $252 million US and criticised heavily across the industry for its poor handling of the breach.
Considering the impact on Target’s image (CEO Gregg Steinhafel resigned as a result), it’s unsurprising that CIOs have started receiving a lot more attention from the board of directors and have seen their security budgets increase. And there is the fact that many legal teams now interact on a regular basis with IT teams to understand the risk to the company. People are certainly starting to understand the disastrous effect a data breach can have on a business’s bottom line.
The threat to brand reputation is especially important in this day and age of social media, where consumers can instantly take to the web to voice an opinion or make a complaint. Thanks to the likes of Facebook and Twitter, people now have readily available platforms to name and shame companies. This means word spreads faster, with data breaches becoming notorious overnight.
Legislation is starting to catch up with the realities of data security – the new European General Data Protection Regulation (EU GDPR) will require companies to declare data breaches within 72 hours, which means there will no longer be anywhere for businesses to hide. And any breach of the regulations will see companies fined 4% of annual global turnover or €20 million, whichever is greatest.
IT directors need to ensure the company is prepared, both in terms of data security, but also in how to respond in the face of a data breach. There needs to be a solid disaster recovery plan, with all spokespeople well briefed about what has happened and what’s being done to fix it.
Company boards have always had the issue of data breaches on their radar for obvious reasons. Situations that effects share price will always be a top focus, especially when they concern the company’s image. But after having worked in the security technology industry over 4 years, it has been interesting to note the way in which general IT staff view the process of securing sensitive data.
I had always assumed that because these staff are tasked with protecting the company’s technology, that they approach their jobs purely from a tech point of view. But thanks to the numerous data breaches splashed across news headlines, it would seem that they are now more concerned with the backlash and impact on company reputation. The ‘bigger picture’ has seemingly trickled down from c-level executives to the rest of the business, in particular IT staff. And this can only be a good thing when it comes to making data security the top priority for everyone involved.