We’ve covered the importance of preventing human error and how data breaches can be damaging in terms of privacy. Now it’s time to consider the significance of protecting data in terms of brand damage and financial loss.
According to data from ADAPT’s CISO Edge, 90% of Australian CISO’s include brand damage as their most important driver for implementing security initiatives, with 73% including financial loss as the most important factor. This makes brand damage and financial loss two of the most significant reasons to implement proper cybersecurity measures for your organisation.
Once a data breach has happened, financial consequences are a logical concern. Adam Bird, KJR’s NSW General Manager, explained the severity levels data breaches can mean for organisations. “When you’re looking at different types of organisations, some will definitely face higher financial impacts than others, depending on the data stolen and the organisation’s response to it.”
Data breaches affect organisations and customers financially in a number of ways – let’s explore some of the most significant.
A hefty fine
Under Privacy Act regulations, companies exposed to a data breaches can be reprimanded with a fine of up to $10 million from the Office of the Australian Information Commissioner (OAIC), depending on the level of negligence associated with the breach. The Notifiable Data Breach Scheme was introduced in 2018 so organisations would stay aware of the implications involved in data privacy and take the right measures to prevent breaches. Read KJR’s Survival Guide to Notifiable Data Breaches Scheme here.
It’s common for organisations’ stock prices to decline following a data breach, potentially irreparably. US company Equifax faced a significant data breach in 2017 with over 145 million customers’ data being impacted. Their stock prices reflected the severity of this breach, dropping from $143 to $116 in September of that year. Similarly, Facebook’s shares fell by nearly 40% throughout 2018 following the Cambridge Analytica scandal, accompanied by a steep decline in trust from its users. Of course, this isn’t always permanent and depends more on the ‘stability’ of the company to determine whether they can bounce back. Equifax, a prime example, has restored its stock to around $140 as of September 2019, meaning its initial damage was salvageable within an established structure and organisational stability as a major consumer credit reporting agency in the US.
Looking towards the impact of data, LinkedIn announced a data breach in 2012 – which included the emails and passwords of over 115 million users. While LinkedIn was able to inform users and urge them to change their passwords as they learned details about the hack, the real financial significance of this hack was the impact on its users. “When personal information is breached, it will very likely lead to data theft of customers, users and employees”, Adam explained.
While this doesn’t directly affect an organisation’s financials, it impairs the financial wellbeing of the organisation’s stakeholders. From the perspective of a consumer, if their LinkedIn account was hacked and accessed, that could allow unwanted entry to their resume, email address, work history, phone number – all things that could lead to identity theft or abuse of customer information.
When you think of data breaches, you probably think of identity theft and the immediate financial losses that come with it – but there are other, more indirect ways organisations can suffer damage. For example, hackers that break through a company’s walls may implement hidden ‘back doors’ in the company’s system, allowing them to strike again in the future. With this ‘back door’ in place, hackers are more able to attack in the future and access data as they desire – including updated financial and proprietary information. This simply reinforces the importance of having quality security measures in place.
Financial losses aren’t the only thing causing organisations grief from data breaches. Reputational impairment is an equal if not more important consequence for companies to prepare for.
Customers want to be able to trust organisations with their data – not worry about their information being safe. Looking back to Yahoo’s data breach in 2016, the brand took two years to discover it and alert the half-a-billion affected users. This was two years too late, however, and reputational damage to the already declining brand was locked in place. Yahoo now has a reputational Brand Index of 15.5, as opposed to Google at 40.4.
Companies can face reputational damages and consequences following data breaches in an endless amount of ways – here’s a glimpse of some of the biggest ones.
The witch hunt approach
According to Adam, a lot of organisations opt to take a “witch hunt” approach, in which the lower end of large-scale organisations don’t take immediate preparatory measures due to the high investment involved. Instead, they wait and see how the public will react to other organisations’ data breaches and observe how their reputation suffers before taking measures.
“A risky approach”, if you ask Adam. It puts companies in the firing line considering their lack of protection of customer data – and highlights their failure to care about it.
Loss of trust?
During the 2000s when cyber risks were just starting to be established, organisations would worry about losing the trust of its customers and having them leave after a data breach. Looking forward, as 2020 approaches, things have become more complex as the technological landscape has evolved. According to Adam, “most customers know how data breaches can affect them and take the right measures to protect their accounts once informed about it”.
The real issue revolves around aspects like what data was breached, how long it took for the organisation to respond, how they reported it, and how long it took to announce it to customers. Adam explains “ignorance is not a defensible excuse anymore”, and organisations are expected to be aware of data security risks to be responsible corporate citizens. “If you haven’t been a good corporate citizen, it can be very difficult to bounce back from a data breach”.
Up to 70% of consumers would be more likely to abandon a brand after it experiences a data breach, according to a global study by Gemalto. This can stem from multiple reasons, from feeling like their data is unsafe, or even due to the organisations’ public response to the breach and the way they inform customers. Organisations can report data breaches – however, this doesn’t always translate positively with customers in cases of data breach responses. For instance, when design platform Canva was hacked, the response email sent to notify users buried the unfortunate information under a more joyful introductory paragraph. As a result, customers criticised Canva on social media regarding their marketing strategy and lack of transparency, somewhat decreasing the trust of their userbase.
Speaking of customers leaving, when an organisation gets hit with a data breach, opportunities open for competing brands. Adam explains this typically happens when “competitors start customer acquisition campaigns, depending on the industry, to acquire affected customers”. Competitors can take advantage of the breach through campaigns outlining their security practices to potential customers. This highly relevant and contextual campaigning can lead to an immediate influence on customers who might feel more compelled to leave a brand for the ‘safer’ alternative.
A swift recovery
Although recovering from a data breach is difficult, it’s certainly possible. To ensure correct measures are taken, the OAIC has suggested four key procedures:
- Contain the breach.
- Assess the risks associated with the breach.
- Consider breach notification.
- Review the incident and take action to prevent future breaches.
All companies should understand this, especially if cybersecurity measures haven’t been properly implemented yet. These can be viewed in more detail on the OAIC website.
Security incidents are inevitable, but how your organisation prepares and responds to them can determine your company’s safety. At KJR we recognise how essential cybersecurity is and help organisations implement the correct measures to address cyber risks.
If this article has prompted the need for a cybersecurity review or cybersecurity awareness training within your organisation, please contact KJR for a requirements discussion and quote.