Do customers still care about data breaches these days? Has ‘breach fatigue’ turned outrage into apathy? Will a data breach really damage your brand and bring down your business?
In recent weeks, two Australian retail giants have each informed their online customers that their names, email addresses, order information and delivery addresses had been stolen in hacking attacks.
The retailers made it clear that no credit card or other financial data of their customers had been exposed – but that makes the breach no less concerning. With home addresses and purchase history it would be easy for criminals to target the homes of people who had just bought a new TV, jewellery or even luggage which suggests an empty home is imminent. And what about those discreet and potentially embarrassing purchases - the ones people typically make only online to avoid eye contact with sales staff?
Have customers accepted data breaches as an inevitable fact of life in a digital world? Are they aware of the personal impacts? Or is it only those of us in the information security industry, privacy advocates and those “in the know” who are paranoid about data loss?
Don’t hope for apathy - there is a significant cost to companies that suffer a security breach. In Australia, the average total cost of a data breach rose to $2.82 million this year according to the Ponemon Institute’s 2015 Cost of Data Breach Study. The study found certain sectors (especially financial service companies) experienced high customer churn following a data breach.
Credit ratings agency Standard and Poor’s said in a recent report that banks and lenders could see their credit rating cut if they failed to protect themselves from cyber-attacks or suffered a severe breach. “We view weak cybersecurity as an emerging threat that has the potential to pose a higher risk to financial firms in the future, and possibly result in downgrades” the firm said.
For business-to-business enterprises, reputational damage is serious. It could mean breach of contracts, lost work, loss of intellectual property and a blacklisting in a sector or vertical.
It’s little wonder that the majority of Australian CEOs, CIOs, CSOs and IT managers cited “reputational loss” in a Telstra survey as the most serious and impactful result of a security incident on their organisation.
The public’s concern over a data breach is likely to increase further still when they find they are being targeted by criminals or more personal information has been exposed. It is easy to cancel a credit card. It is less easy to hide the fact that your name and details were found on the database of an extra-marital affair website.
Extortionists are using data hacked from the Ashley Madison website to track down Kiwis and Australians and demanding thousands of dollars in Bitcoin payments not to inform their partners and families.
As the huge amount of exposed data is analysed and matched with online profiles, there is little to stop criminals from identifying when individuals are going on holiday and sell that information to thieves. People can very easily become victims of identity fraud once their data is lost.
When a data breach has more significant knock-on effects for individuals, it will in turn have a more severe impact on a company’s reputation.
Although a data breach can feel inevitable, there are steps companies should take to protect their customers and themselves.
As an industry, we need more research and data to fully understand the impacts of a data breach to businesses and consumers. Recent major breaches have resulted in the removal of a number of top executives, a loss of focus on core business during the remediation and a short-lived bottom line impact.
While some large businesses can be return to “business as usual” within months, for others like the Ashley Madison website, the repercussions are dire.
Reputational damage of a data breach is complex to measure and is dependent on the type of business service offered, the customer base segmentation, the competitive landscape, any goodwill that might already be established towards the brand, timing and the type of data exposed. A breach will either result in a short-lived impact or total loss of business. What’s certain is the impact on the personal branding of top executives like CIOs, CISOs and IT managers, whose careers could literally end overnight.
Damien Manuel, Chief Information
Security Officer (CISO) for Blue Coat Australia & New Zealand