Cyberattacks cause more than panic and paranoia among an organization’s IT staff. On top of risks to data and the disruption of daily operations, breaches cost money, time, and reputation. If planned for well both the time and cost can be minimized. And the speed of response as well as the way the matter is handled with clients can help minimize damage to an organizations’ reputation.
Unless an organization has a strangle hold on their industry, reputation matters. And in smaller companies, reputation matters even more.
Large, hard to replace companies may not feel the effects of a breach on their reputation as sharply as companies with a lot of competition. For example, Facebook’s repeated data breaches cost the company in value and trust, yet users aren’t leaving the platform in droves — not yet anyway. The Cambridge Analytica scandal caused user confidence to drop by 66%. And one breach later that same year caused Facebook stock to fall 3% (or $13 Billion) after hackers gained access to 50 million user accounts. A year later, it’s still 10% below pre-scandal levels.
Obviously, most companies aren’t Facebook, where users only threaten to leave but most will remain. The same sorts of scandals, breaches, and failures to protect data by other organizations often result in very different and sometimes game ending scenarios.
Reputation and Response
Major breaches happen all the time. Fending off and recovering from the attack on a cyber level is one thing, responding to customers is another equally important step.
Compare the responses and results from cyber events at Norsk Hydro to at Equifax:
Norsk Hydro’s response was praised as “‘the best incident representation response plan I’ve ever seen,’ and good incident response is good for business.” They alerted customers, switched to manual operations, worked their response plan, and became transparent about steps and events. All this resulted in Norsk’s share price rising to higher than it was beforehand, despite the incident resulting in estimated losses around $40 million. Their reputation, if impacted at all, has only been improved.
On the other hand, Equifax delayed letting customers know (which also broke data breach notification laws), sold off millions in stock making it look like they had no trust in the company’s survival, built a new site which was pawned, passed phishing links onto customers and sent out the wrong notification letters. Since the breach, the company has been completely reshaped and will be run in partnership with another — but still with no announcements on data security. The list of incident response failures by Equifax goes far beyond this list. The results of the mishandled response are clearly demonstrated with their former headquarters now being an art school and their stocks trading at 15% less than a year ago.
Small businesses are not exempt. Being increasingly targeted for their own data and assets as well as for backdoor access into larger organizations, it’s essential that a plan is in place not just to prevent the inevitable but what steps to take once the unavoidable happens — because the saying is true: it’s not if but when.
As much as C-level executives may have the desire to apologize after a breach (or not) —as in any apology— what matters isn’t the words but the actions. Actions speak louder than words. Work through the company’s response plan. Be transparent. Communicate, communicate, communicate. Outline the steps the company is taking, forecast a realistic timeline and keep that updated, and be honest. “That transparency and that speed of which you get it out is critical. You can’t do like what Equifax did and sit on it for three or four months. It completely destroys trust and your brand and your company.” Finally, make lasting changes that improve the organization’s ability to protect and provide for the customer in the future — and communicate it to them.
Cybercrime is a fact of today’s business world. Companies will be hacked. Defenses will be breached. Data will be exposed. Operations will be impacted. Preparation helps minimized the damage that can be caused. Making sure you have a plan in place that works and working that plan when needed is essential. Communicating with customers in a timely manner is now part of the equation.