The reputational risk of cybersecurity attacks: TalkTalk case study
TalkTalk’s announcement of a cybersecurity breach on October 22 is the latest in a long line of similar incidents which have affected companies including Sony, Ashley Madison, Barclays and Carphone Warehouse amongst others.
While opinions are divided, many commentators have used this incident to highlight their belief that data breaches are inevitable. John Stewart, CSO of Cisco claims that a data breach is not a unique experience: “You’re eventually going to be hit. It’s not worth the effort of thinking you won’t be hit. It’s no longer a relevant conversation.”
Google and McAfee estimate there are 2,000 cyber attacks every day around the world, costing the global economy about £300bn a year, while the Institute of Directors (IoD) said only “serious breaches” made the headlines, but attacks on British businesses “happen constantly”.
While much of the commentary has focused on how companies should prepare themselves to defend against attack, alva leveraged its content analytics engine to understand the reputational impact of such events and what lessons there are for companies planning for and responding to data breaches.
This alva report analyses the issue of data breaches using over 12 months’ worth of data for TalkTalk, Sony, Barclays, RSA, LV= and Carphone Warehouse. The analysis is of 1.5+ million pieces of publicly-available content including traditional media (print, broadcast, online and subscription sources), social media (Twitter, blogs, forums and social networks), surveys and analyst reports.
This alva analysis report seeks to answer the following questions:
- What is the measurable impact of data breaches on corporate reputation?
- How have data breaches affected different companies – is the effect uniform?
- What are the variables that affect how damaging a data breach is to reputation and what can companies control to limit reputational damage?
How damaging is a data breach?
Deloitte’s 2014 global survey on reputation risk found that Security (physical or cyber) was one of the three key drivers of reputational risk among the 300+ executives it sampled. While this is an interesting indicator of what this group of executives is concerned about, it reflects very much an “inside-out” view of reputation.
To truly understand the drivers of reputation, the most robust approach is to analyse what different stakeholders think and feel about the issue and to what extent concerns about a particular issue cloud or come to define their associations with and perceptions of the organisation.
Publicly-available content provides organisations with a wealth of direct and indirect stakeholder perceptions that can be interrogated and analysed to understand shifts in sentiment for companies, issues and stakeholders over time.
Starting with the most recent incident, we can use alva’s reputation tracker to observe the impact of TalkTalk’s three data breach events on its reputation score.
The three highlighted points all represent incidences of reported data security issues over the period analysed and we can observe the increasing magnitude of their impact on both TalkTalk’s daily sentiment scores, as well as its longer-term sentiment trend.
The below graph helps us establish that data breaches do indeed negatively affect a company’s reputation. Further to that, we can also extract three working hypotheses regarding the ways in which data breaches affect reputation, as outlined over the page.
Figure I: TalkTalk sentiment score over time – data breach issues highlighted
Hypotheses on impact of data breaches on reputation
1. Impact: Data breaches can result in some of the most impactful downturns in sentiment for an organisation. The graph shows that two of the four largest declines in TalkTalk’s sentiment score have all resulted from data breach concerns making it a genuine reputational risk.
2. Lifecycle: Data breaches can produce tenacious negativity; TalkTalk’s sentiment trend did not return to its pre-breach starting point until early May (the breach was reported in late February) and negative data breach content only subsided in June following TalkTalk announcing that it was changing the way in which it processed credit and debit payments to reduce the risk of a future breach.
3. Increasing severity: There is a visible ramp-up in the impact of the data breaches on reputation over the three highlighted events. This is clearly in part due to differences in the scale of the breaches, but there is the additional element of an incremental reduction in stakeholder trust when a company is repeatedly exposed to the same risk. In our analysis of Thomas Cook’s reputational challenges in 2015, we pinpointed how repeat negative issues can reach a tipping point beyond which the company loses the opportunity to mitigate the risk and damage limitation is the best available outcome. With TalkTalk, we appear to have a similar dynamic where reputational risks have not been successfully managed and therefore become much more damaging.
There is the additional element of an incremental reduction in stakeholder trust when a company is repeatedly exposed to the same risk.
Which stakeholders are the most affected by a cyber breach?
At alva we talk about reputation being in the eye of the stakeholder. Your reputation is what other people think and feel about you, seen through the lens of their expectations and needs.
As exemplified in our analysis of the workplace allegations at Amazon, companies have multiple reputations. Not all stakeholders will be concerned by the same risks.
Analysing a further level of detail for the TalkTalk data breach, we can see that sentiment scores for all five stakeholders featured below took a significant downturn, with the particular interests and expectations of each group compromised by the issue.
Companies have multiple reputations. Not all stakeholders will be concerned by the same risks.
Figure II: TalkTalk stakeholder analysis by issue and month-on-month score change
The risk presented in this data for TalkTalk is that such significant swings in scores are frequently leading indicators of a fundamental shift in the relationship between the stakeholder group and the company.
For customers, this manifests itself in an increase in active criticism of the organisation and the proactive discussion of switching providers (see our VW emissions analysis for more information on Social Media Advocacy as a Consumer Purchasing Indicator).
TalkTalk’s Social Media Advocacy score has plummeted since the incident with a significant increase in switching behaviour expressed online suggesting future retention and new business concerns.
For investors the drop in TalkTalk’s share price is indicative of concern over the company’s customer base, its ability to prevent a future recurrence and its exposure to regulatory pressures.
For regulators and politicians the number of people affected necessitates a firm stance against the company, with lengthy reviews or probes potentially fuelling future coverage of the breach and thereby extending the lifecycle of the issue.
A general rule of thumb when assessing the extent of a reputational risk is to assess the number of stakeholders affected; the more that are impacted, the longer and more damaging the risk.
How damaging is a data breach to reputation? Other examples
Having conducted a detailed analysis of the impact of the data breach on TalkTalk’s reputation, we need to understand how representative this incident is of other data breaches in order to understand whether the hypotheses established from TalkTalk hold water.
Figure III below shows the change in sentiment scores in the first three days of companies affected by data breach incidents.
Figure III: 3-day aftermath of companies affected by data breaches
Hypothesis 1) Impact – data breaches result in significant reputational declines
We can observe that all companies shown in Figure III experienced decreases in score immediately following their data breaches, however the extent to which they declined varies dramatically. Qualitatively, there are several factors behind the extent of the decline experienced by each organisation:
Size of breach
- RSA and LV=’s incidents were relatively minor compared to the scale of the other companies featured, helping generate a shallower decline in scores
Origin of breach
- Both TalkTalk and Carphone Warehouse’s incidents were described as being external breaches, highlighting a systemic failure in their security systems and raising the possibility of future attacks. Where the breach is internal, as was the case with LV=, this can be attributed to a “rogue employee” and the likelihood of repetition can be seen to be lower. That said there is a broader question about culture in these instances.
Hypothesis 2) Lifecycle – data breaches can result in tenacious negativity
While the example of TalkTalk gave us grounds for building this hypothesis, Figure III has shown that this is not the general rule and that companies can bounce back quickly from breaches should the right factors be present.
But neither is TalkTalk the exception to the rule, as Figure IV below shows us in the prominent example of Sony Picture’s data hack.
Sony’s score took longer to decrease, but its data breach issue experienced a series of newsworthy developments (see annotations in Figure IV), which meant that its impact was prolonged and sentiment took many weeks to return to neutrality.
Size of breach
- Again a key factor, larger breaches are clearly more newsworthy and affect a high number of people meaning that they may take longer to resolve. An additional contributory factor to longevity is if the company becomes a case study for an issue (e.g. BP and reputation damage) which can engender a longer lifecycle through referencing in future similar incidents that befall other companies.
- For Sony, the staggered release of the data (in combination with their incendiary contents) also kept the issue in the spotlight for longer.
Speed of Response
- Carphone Warehouse, RSA and TalkTalk were heavily criticised for the perception that they did not inform customers of the risks promptly. This increased negativity and the issue’s lifecycle.
- Barclays and LV= both received praise for the effectiveness of their responses, with Barclays reporting the incident immediately and offering compensation to customers. This helped swiftly resolve the issue and its reporting.
- As with TalkTalk, Sony’s data breach affected multiple stakeholders, including politicians and regulators. The slower speed of response from these latter groups keeps the issue front of mind and contributes to longer lifecycle.
Companies can bounce back quickly from breaches should the right factors be present.
Figure IV: Sentiment and Sentiment Trend for Sony post-data breach
Hypothesis 3) Increasing severity – repeated incidents exacerbate negativity
Figure III shows us an interesting counterpoint to the TalkTalk example; all other companies featured show a relatively quick return of sentiment following their data loss incidents – not always back to neutral in the case of Barclays and Carphone Warehouse, but an upward trend is resumed.
The key distinction between TalkTalk and the other companies tracked is that this was the third such data breach incident it had faced, whereas the other organisations had only experienced one or two in the case of Carphone Warehouse (dating back to 2011).
If we re-plot Figure III swapping the data for TalkTalk’s third data breach incident with that of its first, we can see that the company’s score mirrors the response of the others; a shallower decrease followed by a swift recovery.
While the comparisons are not like-for-like given the difference in scale of the 3rd TalkTalk data breach versus that of the first, this gives us a good indication of the order of magnitude associated with repeated incidents versus one-offs.
This trend supports other alva reputation data looking at the cumulative impact of repeated online access issues for banking customers and their propensity to switch banks
Figure V: 3-day aftermath of companies affected by data breaches (TalkTalk 1st incident)
Conclusions and takeaways
Data breaches always present a reputational risk: Cybersecurity issues will result in a decrease in a company’s immediate sentiment score. The extent to which they damage reputation is dependent upon the size of breach and the origin of the breach (internal or external).
A key driver of reputational damage from a data breach is the longevity of the incident: Factors that can prolong an incident are:
- The size of the breach
- The staggered dissemination of information or reporting of the event
- The number and type of stakeholders affected (especially Politicians and Regulators)
- How quickly and effectively the company is perceived to have acted. Compensation payments (for customers) or stakeholder-specific alternatives (unprompted, proactive notification of the incident to the relevant authorities) often evidence this effective response.
Repetition is not an option – three strikes and you’re out: One breach may be forgivable (size of breach notwithstanding), two causes concern, but three is very rarely acceptable and will cause a number of stakeholders to fundamentally re-evaluate their relationship with the company. For customers this may mean switching; for investors divestment; regulators and politicians investigations or probes; and media a more negative depiction of the company in future reporting.
Be part of the Connected Intelligence community