As more retail chains become easy pickings for cybercriminals, brand managers are finally becoming appropriately concerned about endpoint security. It’s taken these highly visible and widespread attacks by malicious actors to serve as the wake-up call to executives who have been slow to see cybersecurity as a core responsibility.
I’m sure you are familiar with the headlines:
- After Target’s infamous security breach in 2013, CEO Gregg Steinhafel resigned in the aftermath, underscoring the new reality that data breaches have far-reaching consequences for companies and their brands.
- The supermarket chain SuperValu (at least 180 stores affected) and UPS (51 stores) recently disclosed information about a related data breach after Homeland Security and the Secret Service issued a warning that more than 1,000 American businesses have likely been affected by “Backoff."
- In a potentially related case, Home Depot recently acknowledged that a major breach of its POS systems dating as far back April has allowed an estimated 56 million credit card numbers to be compromised. The full extent and origins of the damage remain to be seen, but it is likely the largest breach to date.
- In the most recent news, the JP Morgan Chase breach compromised the accounts of 76 million households as well as those of seven million small businesses, making it one of the biggest security breaches to date.
These breaches are rising rapidly. Ponemon Institute’s 2014 Cost of Data Breach report, for example, found that the average abnormal customer churn rate after a breach rose 15% over last year. This highlights the public’s growing concern over the security and privacy of information, and underscores a need for companies to secure their infrastructure in order to protect their reputation over the long term.
Even for beloved brands like Target, the impact is significant. Target reported in February that its fourth-quarter profit had fallen 46 percent, after the holiday season breach scared off customers. The retail giant’s total breach-related expenses have reached $235 million so far; some analysts initially feared the fallout could reach $1 billion. Other factors influence stock price, but I’m certain we will see more instances of breaches being a tipping point or last straw for companies that were already vulnerable.
Security + Privacy = Trust
Consumer loyalty to brands is all about trust, which today has everything to do with security and privacy. When consumers feel that this trust has been broken, brands will suffer long-term consequences.
I can’t say it enough: prevention and detection are both critical to security. Let’s face it, the bad guys are already inside. Taking preventative measures keeps networks under better control and eases recovery and remediation efforts. Security leaders should never assume that intruders are not able to get in. Brands need to invest in better security detection and prevention solutions that will help avoid a similar breach in the future. They should also let the consumers know that they are investing and taking these measures.
Shortening the time from attack to detection is the absolute number one key to mitigating damage to a brand’s reputation, bottom line, and customers. As consumers become more disgruntled and more educated about these breaches, expectations will shift. Discovering malware months after initial intrusion will be seen as negligence and/or incompetence in the court of public opinion. Until recently, the average consumer may have regarded such breaches as inevitable and experienced only minor inconvenience. As breach notifications increase, concerns about identity theft mount and consumer patience erodes. Likewise, government leaders, legal advocates, and credit card companies have begun to push back on retailers.
A unified, system-wide view of security enhances information sharing between IT and the executive suite. Cross-functional teams must be allowed to communicate risks effectively with the help of real-time factual reports, and awareness of these risks must spread beyond the walls of the IT and security departments. Open and trusted lines of communication may be one of the most effective ways to close the intrusion-to-detection dwell time, as Target learned the hard way when an employee complaint on Gawker.com triggered a very public discussion about corporate culture and the company’s failure to heed internal warnings leading to the breach.
Ultimately brand and reputation become synonymous in the eyes of customers and the market as a whole. In order for organizations to rebuild or even maintain trust, they need to recognize that a breach in this day and age is inevitable and therefore your brand’s reputation will depend on how you deal with it.