October 5, 2023
At a Glance
- Assessing direct and indirect costs of data breaches can shed light on potential damage.
- Leaders must build a plan of attack to safeguard reputation after a breach.
- Breach post-mortem can help organizations realize long-term repair after a damaging breach.
Data breaches are expensive. Direct costs, like remediation, notification, lawsuits, fines and potential ransomware payments, are relatively easy to measure. The indirect cost of reputational damage can be harder to capture, but it can have a long-lasting impact on a business.
Trust is essential to a company’s brand image. A breach can tarnish that image in the eyes of consumers, business partners and the public markets. Depending on how an organization responds to a breach, that brand damage can lead to lost business. Following a data breach, how can leadership understand how much damage has been done to an organization’s reputation, and how can they repair it?
Understanding Reputational Damage
The nature of a breach influences how much reputational damage an organization can suffer. “Impact generally increases with the sensitivity of the type of data that may have been compromised,” Fred Rica, a partner at advisory firm BPM, tells InformationWeek. A breach involving, say, email addresses is likely to be less harmful than a breach involving financial information.
Factors like an enterprise’s industry, the number of other parties impacted and regulatory scrutiny also play a role in potential reputational harm. A cybersecurity company selling services to defend other organizations may take a reputational hit when it falls prey to a breach. A breach that spills outward and impacts millions of consumers and multiple supply chain partners is going to be a bigger deal than one that involves a smaller amount of internal data. A breach that garners the attention of regulatory bodies, particularly one that results in regulatory fines, is going to reflect poorly on a brand.
The timeline of breach also matters to your brand. How long did the breach go undetected? How quickly was it remediated after it was discovered? Were your business operations disrupted? Were customers unable to access your services or get your products?
“You can quantify lost sales; you can quantify lost market cap; you can quantify reduction in stock price, but I don’t know that necessarily helps you quantify brand damage,” says Rica.
Putting an exact number on trust is difficult. Some organizations that regularly conduct brand research may be able to gain insight into how a breach impacts stakeholder sentiment, and by extension their view of the brand.
“A lot of consumer-focused organizations may have a lot of brand research where they already do regular surveys of employees, regular surveys on their brand health,” explains Katie Clark, EVP of crisis and reputation risk and US head of data security and privacy at global communications firm Edelman. “Those can be good indicators to use or measure either through an incident or post-incident to see if there’s been any sort of change.”
Even if an enterprise can’t put a hard number on its brand value, that value needs to be safeguarded nonetheless.
Building a Plan to Protect Your Reputation
Organizations are increasingly aware that a cybersecurity incident is not a matter of if but when. This means leadership has a chance to prepare for an attack and potential brand damage.
“You need to have a broad, integrated crisis management program or cyber incident response plan [IRP] that deals not only with the responsibilities of the CISO or folks in the IT shop, but the responsibilities of other stakeholders across the entire enterprise,” says James MacDonnell, a managing director who handles reputational risk, crisis management and resilience at assurance, tax and financial advisory services firm BDO.
A plan to protect your reputation has a technical component and a communications component. And it is important to remember that the people responsible for each side cannot work in isolation. All stakeholders need to be aligned.
“We can’t communicate unless the IT response is taking place, and there’s legal ramifications and risk to what we can communicate,” says Clark. That means the CISO’s team, the rest of the C-suite, general counsel, the communications team and any external partners, like a PR firm, crisis management firm, external counsel and the cyber insurance company need to be prepared with a coordinated response.
It is also critical to ensure all stakeholders know their role in communication following a breach. “If you do not have things like traditional and social media guidelines for your employees that says who is and who is not authorized to be a spokesperson on behalf of the company, you’re really setting yourself up to have a much, much harder day,” says MacDonnell.
Companies can run tabletop exercises for the technical and communication response plans for a breach. On the communications side, crafting holding statements for each potential impacted audience (consumers, employees, business partners and investors) can cut down the time it takes to craft a message in the event of a real breach.
How a breach reflects on a company’s brand hinges in large part on how the crisis is managed and communicated. “Every breach and every response have different results depending on the company, depending on the nature of the breach, or the incident, and depending on how it’s communicated,” says Doron Goldstein, privacy and cybersecurity partner on the crisis management team at international law firm Withers.
Once a breach happens, it is time to put the IRP into action. With the new US Securities Exchange and Commission (SEC) cybersecurity incident reporting rules, the communication aspect of a breach may be on a tighter timeline, which further highlights the importance of building a plan before a crisis hits.
“You may not be able to have the flexibility or luxury to give people two days’ notice to kind of get up to speed. You may have to do it in two hours or an hour before you roll it out to a broader audience,” says Clark.
That timeline can feel rushed, but that transparency is part of protecting your brand.
“Being vulnerable and authentic … is important. Being able to say ‘Yes, we had this breach, and we’re asking our stakeholders like the federal government, or we’re asking insurance companies to come in and help us, that’s what helps you get through this,” says Jeremy Capell, CISO of critical event management platform Everbridge.
If an organization without an IRP in place suffers a breach, in-the-moment action carries significant risk of further brand damage. “If you don’t have a plan, and you don’t have a particularly robust sophisticated and large team, I think that’s the time to call in outside help,” says Rica.
Common Communication Mistakes
Data breaches are evolving events that necessitate a rapid response. Missteps are easy to make, even for enterprises that have prepared and tested response plans. But communication errors can compound brand damage.
Speaking too soon. The pressure to get ahead of a breach story is immense. Wait too long and it appears like you are trying to obfuscate. But speak too soon and leadership may find itself walking back on its initial statements. The rush to get out a statement leaves room for conflicting statements. If the CEO says one thing and employee says another, you end up with muddled messaging that needs to be corrected. “Those things create a perception, or can create a perception, that the company either wasn’t giving full disclosure at the beginning, or it doesn’t know what it’s doing,” says Goldstein.
Failing to account for further compromise. Do you know how much access a threat actor has to your systems? MacDonnell worked with a company that fell victim to a ransomware attack. As soon as the leadership team realized what had happened, they jumped into planning mode. They made the decision to pay, after much conversation over company email. When they went to make their offer to the threat actor, they were met with an unpleasant surprise. “The only thing that was provided back was a screen capture of an email from the CFO to the CEO where the CFO outlined how much cash they had on hand, what their insurance coverage was and what they thought the absolute most that they would be willing to pay,” he shares. An important part of breach response planning is having offline options for communication.
Forgetting about employees. “I think one of the big audiences that organizations often forget about is employees,” says Clark. In the rush to update customers, business partners, investors and regulators, employees might be left in the dark. But employee perception and trust matter to a brand as well.
Shifting blame. An enterprise may not have been able to prevent a breach, particularly if it is targeted by a sophisticated threat actor. But opting not to take any responsibility can appear self-serving or disingenuous. “One of the things that is often the case in crisis communication is coming across as making an excuse or blaming somebody else doesn’t generally go over as well saying ‘We are sorry, and we are going to improve,’” says Goldstein.
Not every data breach is going to result in long-term brand damage. “If an organization manages the response in a good manner, manages it properly, is responsible, communicates well–those instances often do not have long-term impacts,” says Clark.
Whether a breach casts a lingering shadow on your brand is a matter of how well an enterprise responds to the immediate crisis and how it moves forward. “You can go through a crisis, and you can come out on the other end through that process and actually enhance your reputation or damage your reputation,” says Capell.
At some point, leadership needs to determine when it has navigated the initial crisis. When can it return to business as normal and demonstrate that it can be a trusted steward of data going forward? Many organizations struggle with making that transition, according to MacDonnell.
Conducting a breach post-mortem can help organizations understand not only how a breach occurred but also how well it was contained and communicated. Rica recommends bringing in “…somebody from the outside who has a completely independent view and completely fresh set of eyes.”
That process can help an organization improve its breach communication plan and harden its security posture, minimizing the chance of future brand damage. “It doesn’t matter how good a PR team you have, or how well-crafted your holding statements are, if there’s no substance behind it,” warns MacDonnell.
About the Author(s)
You May Also Like
Perspectives on Security for the Board: Edition 3
Cybersecurity Forecast 2024
Processing principles under the GDPR, CCPA, and the EU-US DPF
Responsible data use: Navigating privacy in the information lifecycle
Solution Brief: Fortinet FortiFlex Delivers Usage-Based Security Licensing That Moves at the Speed of Digital Acceleration