I really think we need to look at history as an indicator of the future.
It’s the worst call a C-suite executive can get: A panicked IT technician tells you that your records have been compromised. Customer information may be out in the wild, and there’s nothing you can do to get it back. You know that there will be financial implications, but the dangers are unlikely to end there.
Ahead of you lies a torrent of consequences that may not immediately affect your bank account but could have a profound psychological and emotional impact on your company, its employees, and its customers. From Sony and Target to Yahoo and Equifax, history tells us things don’t tend to end well for those involved. Here’s what can you expect and how you can prepare for it.
Aside from lawsuits and regulatory penalties, one of the biggest impacts of a data breach can be to damage a company’s reputation. It can take years to build trust with customers, but that trust can be blown apart in minutes when customers see their details surface online.
The Ponemon Institute, which assesses the cost of data breaches, surveyed marketing executives, IT practitioners, and consumers as part of a 2017 study of the impact of data breaches on reputation and share value. It found that 61% of CMOs and 45% of IT practitioners considered reputation damage to be the biggest impact of a data breach.
How does damage to a company’s reputation show up? One way is through customer churn. Ponemon’s study found that 27% of the 405 consumers interviewed discontinued their relationship with a company when it suffered a breach. The takeaway: Damage to reputation can show up on your bank statement.
Not all reputation risk is contained to customers, though. The Sony Pictures hack of 2014 may seem like a long time ago, but it is the perfect example of how the impact of these breaches can stay with those involved for a very long time. When its emails were released for all to see, the company faced a torrent of embarrassment and humiliation that was hard to come back from. This article highlights some of the leak’s “greatest hits.” Still today, this stands as one of the great hacking case studies, and illustrates why you need to be careful what you say in your emails.
In reality, while hacks can knock a company sideways, it takes a large broadside to wipe a company out altogether. It certainly happens, though, especially when that company bases its own brand on security and protection.
One good example here is Dutch certificate authority DigiNotar. In 2011, hackers compromised it and began issuing fraudulent certificates. The company couldn’t recover the confidence of its customers afterward and went bankrupt.
Also, consider cybersecurity company HBGary. Hactivist group Anonymous hacked its HBGary Federal arm and posted its emails online after the division’s chief executive Aaron Barr claimed to have infiltrated the group. It took just a year for HBGary to be acquired by IT services firm ManTech, by which point HBGary Federal had reportedly closed.
Even if companies don’t close, they can suffer a loss of confidence in the financial markets. The Ponemon study took a subset of 113 publicly listed companies that had been breached and compared their stock prices from the 30 days prior to the 90 days afterward. The researchers saw stock prices drop an average of 5% as a direct result of these breaches.
The psychological impact of a breach can strike at the heart of a company, damaging its personnel. Barr was forced to resign after the HBGary Federal scandal, but not before receiving personal threats. Elsewhere, other CIOs and CISOs have not been so “lucky.” Those in charge of security at Equifax and Uber didn’t get the chance to resign; they were fired after their security incidents.
Sometimes, the ramifications can extend to the highest echelons of government. In 2017, two Swedish ministers lost their jobs after a breach allowed overseas IT workers to access confidential government and police information.
What can companies do to protect themselves from this fallout? The obvious answer is to do everything you can to prevent such a breach in the first place. Putting effective security controls in place and training employees to follow them can go a long way toward mitigating risk.
Preventative measures include encrypting customer data and protecting those encryption keys and protecting employee and customer accounts from hijackers using tools like identity and access management (IAM) and multifactor authentication.
Even so, no company is 100% secure. The real test comes when hackers successfully infiltrate your systems in spite of your best efforts. Then, you’ll need a watertight incident response plan providing play-by-play technical instructions to contain, neutralize, and recover from the threat. Include a policy that shows how to take responsibility for the incident, inform customers transparently about it, and explain what you’ll do to make things better.
With the implications of a data breach reaching far beyond the initial financial shock, it pays to get ahead of the problem. You should always be prepared. Working with professional service providers to protect yourself, along with planning your incident response playbook, will prepare you for the worst—and maybe help you avert it altogether.
Find out how SolarWinds Threat Monitor can help streamline your security operations and help you protect your customers businesses. Click here
Tim Brown is VP of Security for SolarWinds MSP. He has over 20 years of experience developing and implementing security technology, including identity and access management, vulnerability assessment, security compliance, threat research, vulnerability management, encryption, managed security services, and cloud security. Tim’s experience has made him an in-demand expert on cybersecurity, and has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. Additionally, Tim has been central in driving advancements in identity frameworks, has worked with the US government on security initiatives, and holds 18 patents on security-related topics.