Digital transformation is exposing organisations to new risks. As they digitise more processes and data, and increase their use of mobile and cloud technologies, new security gaps appear. There is no longer a well-defined ‘boundary’ around corporate data, and traditional security measures are failing to prevent breaches. Addressing these security gaps is vital – particularly in light of the impending General Data Protection Regulation (GDPR), which will impose huge fines on organisations that don’t take adequate steps to secure the personal data of EU citizens. UK businesses will continue to be subject to the GDPR after Brexit.
Data breaches lead to long-term brand damage, as well as fines. Recent high profile cyber-attacks on organisations including Equifax, Debenhams Flowers, Wonga and the NHS have highlighted the serious far-reaching consequences they have on customer trust, share price and company finances. Half of all consumers have been notified by an organisation that their personal information has been lost or stolen in the past two years, according to the Ponemon study. As a result, 65 per cent say they lost trust in that organisation, and more than a quarter took their business elsewhere.
Despite this – and increasing uncertainty around what Brexit will bring – neither IT bosses nor senior executives are taking responsibility for preserving brand reputation by protecting customer data.
Great expectations
Consumers expect companies to safeguard their data. More than three-quarters (79 per cent) believe organisations have an obligation to take reasonable steps to secure their personal information, but only 66 per cent of IT practitioners agree. Meeting these expectations will become more essential to preserving customers’ trust, but a clash of priorities between IT and marketing departments is hampering companies’ efforts to do so.
Sixty-one per cent of Chief Marketing Officers (CMOs) believe the biggest cost of a security incident is the loss of reputation, and that breaches are even more damaging than a scandal involving the CEO. Less than half of IT practitioners (45 per cent) agree. Only three per cent of IT professionals feel concerned about falling share prices following a cyber-attack, despite the Ponemon research revealing that companies’ share prices drop an average of 5% on the day a breach is announced. In fact, they’re more worried about scrutiny of their own roles than reputational damage.
IT and marketing departments also disagree on where the responsibility lies for protecting reputation through improved data security. Around two-thirds of senior marketers believe it sits with IT, but 71 per cent of IT practitioners claim it is nothing to do with them. Less than one in five allocates a portion of their IT security budget to brand preservation, and just 18 per cent collaborate with other departments.
Worryingly, more than a third of IT leaders and CMOs don’t believe that brand protection is taken seriously by senior managers within their organisation either.
The bigger picture
To prevent brand damage that could last several years, and improve the ability to withstand any turbulence that might follow the UK’s departure from the EU, IT needs to better understand the link between cybersecurity and brand protection. It should also play an active part in developing and executing a strategy that focuses on the bigger picture: protecting customer data and brand reputation through better security.
Companies with a strong security posture are better equipped to respond to a breach event, and also to recover from it. The Ponemon research found that organisations in this category saw an average share price decline of no more than three per cent, with the stock value recovering after only seven days. In contrast, the stock prices of companies with a poor security posture declined as much as seven per cent, and this lasted on average more than 90 days. They were also more likely to lose customers.
There are a number of best practice steps an organisation can take to strengthen its security posture as the UK begins the process of leaving the EU, and preserve consumers’ trust as their priorities and attitudes change.
Open up lines of communication. IT and marketing must stop operating in isolation, and work together to determine and execute shared data security priorities and plans. Marketing teams are a vital component in incident response plans, for example, to ensure customers are communicated with in the right way if a breach occurs.
Lead from the front. Senior executives must take the lead on developing and implementing a comprehensive security strategy that protects the entire business and brand. The cultural change needs to come from the top down.
Appoint a dedicated chief information security officer (CISO). He or she can take responsibility for improving communication across the business, as well as engaging senior level executives in the need to invest in appropriate security defences. The ideal candidate will have an established track record of moving organisations from an immature to a strong security posture.
Build defences. Adequate budget must be allocated to make strategic investments in skilled staff and up-to-date security enabling technologies, particularly enterprise wide data encryption. An identity and access management (IAM) system will enable the business to control and audit who can see what data and when, for all users, applications, endpoints and infrastructure.
Plan for the worst. Having an effective threat response plan in place that is ready to be executed in the case of a data breach is critical. This should include procedures for communicating with customers, investors and regulators, and pre-assigned roles and responsibilities that include people from right across the organisation. This will support a move away from a siloed approach, and drive a culture of security and ownership.
Implement training and awareness programmes. Education will increase all employees’ understanding of the risks of cyber-attacks to the business and threats to the brand. As well as reducing negligence, this will get everyone working together to protect information from loss or theft.
Carry out regular vulnerability audits. Establishing a schedule of assessments will identify any security holes in the organisation’s computer, network or communications infrastructure. Measures can then be taken to guard against future breaches.
Participate in threat sharing programmes. Similar organisations can often be targeted by the same threat. Collaborating with partners and other companies you trust can offer a better and often faster way to prevent and detect attacks, as well as making sure you don’t undertake any work that’s already been done by someone else.
Brand reputation, trust, and customer loyalty and cybersecurity are tightly intertwined. Cyber-attacks that lead to data loss or theft have a long-lasting effect on a company’s image and credibility. IT needs to play an active role in defending brand reputation and value by strengthening the organisation’s resilience to breaches – enabling them to weather any storms that Brexit brings, and bounce back more quickly if the worst should happen.