The shifting landscape of cybersecurity and reputation risk
Five years ago, a major cybersecurity breach could seriously damage an organisation’s reputation. Make it two – or three – and that organisation might find it very difficult to recover stakeholder goodwill, as in the case of TalkTalk when a series of hacks over the course of 2014 and 2015, accompanied by the apparent failure of the company to shore up its defences in response, led to a tenacious negative news cycle, and incremental loss of trust among stakeholders.
But would the same scenario result in an equivalent reputational crisis today? Cyber hacks have become so commonplace that businesses must assume it’s not a case of if sensitive data will be appropriated from their servers, but when. IT Governance reports that in July 2019 alone, 2.9 billion records were leaked worldwide, with targets including a Japanese cryptocurrency exchange, banks in Bangladesh, Kyrgyzstan and Sri Lanka, and the LA County Department of Health.
Cybersecurity arms race
Awareness of the steps that can be taken to manage digital risk, has grown enormously, but so too has the sophistication of cyber criminals and the methods they use to break down organisations’ defences. And it seems that stakeholders are beginning to understand and accept the complexity involved in protecting against cyber threats – potentially muting any resulting backlash against companies that fall victim to them.
Take Capital One. In July 2019, the bank admitted that a web application firewall had been breached in March that year, with the hacker accessing personal information from 106 million customers, largely lifted from credit card applications. Capital One’s share price dropped 6% in the days following the announcement, but despite logging one of the biggest data breaches ever, share prices never dropped as low as they did in 2018, and soon recovered to pre-breach levels.
The bounce-back can be partly attributed to shareholders becoming inured to these events – even those on an unusually grand scale. But it can also be credited to the bank’s open and timely response. After the issue was uncovered, Capital One immediately fixed it and started working with law enforcement officials. “I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right,” stated CEO Richard Fairbank, promising to notify people affected by the breach and make free credit monitoring and identity protection available. The bank insisted that it had heavily invested in cyber security and would continue to do so in light of the incident. The hacker was apprehended, without apparently having disseminated any of the information she stole, and it appears Capital One’s reputation will ride out the attack.
A reputational opportunity?
A more interesting and perhaps counterintuitive question is whether, in a landscape where cyber breaches have become everyday news, there is an opportunity to proactively enhance reputation by demonstrating rapid response times, on-going vigilance, and investment in defence? In the same way that an initially negative customer experience can result in an opportunity to actually enhance customer relations, can cyber attacks be an opportunity to boost reputation?
As cyber crime retains its top risk ranking among US risk managers, with the average cost of a cyber breach standing at $3.86m in 2018, it’s accepted that almost everyone is going to get hit – but those seen to respond most effectively will gain the most trust, and win the approval of stakeholders. In an environment where all organisations are vulnerable, and the threats are constantly evolving, there may be significant reputational benefit in rethinking the opportunity presented by a cyber attack.
Be part of the Connected Intelligence community