A study has found that share values of 113 businesses polled lost an average of 5 percent following a data breach.
Is it just share value that a company loses or is there more at stake? I recently saw an advert for cybersecurity insurance on the London Underground offering a package that included IT experts to forensically examine the nature and reason for the attack. It also talked about the crack team of brand reputation management experts to help with the crisis management response in case of a cyber breach. So, is brand reputation as important as share prices?
“In this past year alone we’ve seen high-profile data breaches, such as Yahoo and TalkTalk, experience the significant consequences that a breach can have on shareholder value and brand reputation,” said Bill Mann, senior vice president of products and chief product officer, Centrify. It’s clearly a blind spot for the C-suite and it’s time leadership recognise that protecting data is no longer just an IT problem, but a bottom-line business concern that needs a holistic and strategic approach to protecting the whole organisation.”
I spoke to Nick Bleech, Head of Information Security, Travis Perkins recently and he seems to think it is interlinked. However, to him it isn’t just reputation and share price but also customer loyalty at risk.
Travis Perkins experience a 15-week high-volume period from before-Easter to the beginning of June when the severity and number of attacks also go up.
“We have clear evidence of attacks matching that volume. Three years back we had three successful ransomeware attacks. They hit one office and although they asked for no more than £500, it was obvious that we needed to act.
“Cyber criminals usually price it right so the victim is more likely to pay the ransom than pass it to the Police or spend time fixing the problem. Attacks are so widespread that it isn’t just a case of outrunning the leopard but running faster than the others who are trying to escape the bad situation too.”
“My biggest challenge has been to get the right security tools like Fire-eye and Splunk in place. Building the security framework has been part of the journey. I still have huge stakeholder backing to do more. Identifying and responding to attacks was very long process and we have now cut the response time down from 3 months to 3 hours. For an organisation of 28,500 employees and 2500 locations- to be able to spot where and get resolution underway that quickly is really something.”
While at Travis Perkins, stakeholder backing has helped the security framework for the company that counts amongst its clients giant construction projects like CrossRail and HS2, the case is different elsewhere. CISOs bemoan the lack of communication and understanding between the Board and the security officers. Indeed, the Centrify/Ponemon study found that 39% off IT practitioners and 36% marketing practitioners don’t believe that brand protection is taken seriously by senior level executives. This is despite the fact that one in four (27%) customers discontinue their relationship with an organisation that has suffered a data breach.
However, the reason for the C-suite lack of empathy runs deeper than just misunderstandings. Commenting on the findings, Independent Cybersecurity Expert, Dr Jessica Barker said: “With so many data breaches hitting the headlines, there can be a sense of defeatism among some organisations. Breaches are seen as inevitable so some organisations question the value of spending on security when it won’t make them 100% secure. However, this research has found that investing in security helps protect the organisation when even the worst happens, as companies with a strong security posture experience much quicker stock price recovery than those with a poor security posture following a data breach.”
Now the hope is that with GDPR legislations coming into force in exactly a year, senior level executives will be forced to listen, spend and take on board all comments to do with keeping their IT estates safe and themselves better protected.