The majority of senior marketing and IT professionals agree that a data breach would have a negative impact on their company’s reputation, rating it as more serious than even a scandal involving the CEO. When it comes to agreeing where that impact will hit hardest, however – and whose responsibility it is to manage the risk – it’s another matter entirely.
This disconnect threatens the safety of customer data and the reputation of brands as GDPR looms. Data breaches can cause brand damage that will continue to bite long after the fines have been paid.
According to a study from Ponemon, commissioned by Centrify, 65 per cent of customers affected by a breach lost trust in that organisation, with one in four taking their business elsewhere. Meanwhile, the stock value of 113 companies studied declined an average of five per cent the day a breach was disclosed. This has the potential to wipe millions off a brand’s value and put employees’ livelihoods at risk.
Senior marketers recognise the risk, with almost two-thirds believing that loss of brand value is the biggest cost of a cybersecurity incident today, alongside decreased trust and reputation. However, IT practitioners were more worried about losing their jobs, and their department coming under greater scrutiny, than damage to the brand, reputation, and trust. Only three per cent are concerned about a decline in the company’s stock price after a cyberattack.
Whose job is it anyway?
In addition to clashing priorities, there is disagreement over who is responsible for preserving brand reputation by protecting customer data. Seventy-one per cent of IT practitioners say it’s nothing to do with them, whereas more than two-thirds of senior marketers believe the buck stops with IT. Less than one fifth of IT practitioners allocate security budget to brand protection or collaborate with other departments on this.
One thing that CMOs and CIOs do agree on – worryingly – is that brand protection is not taken seriously by their company’s C-suite, either.
It’s clear that marketing and IT are still working in silos when it comes to protecting customer data and brand reputation through better security. This is a serious concern: GDPR will impact every part of the business, and any data breach will be a corporate crisis.
Open up lines of communication
CMOs and CIOs are not talking to each other enough about data security issues. Organisations need to close the gap between the functions, encouraging and facilitating conversations between teams.
IT and marketing should reconsider their siloed priorities, working together to determine and execute shared plans. Marketing teams are a vital component in incident response plans, for example, to ensure customers and shareholders are communicated with in the right way if a breach occurs. IT should aim to better understand the link between cybersecurity and brand, and play an active part in developing and executing the strategy.
Take the lead
The C-suite and boardroom must be fully and actively engaged in data security, because protecting a company’s image and credibility requires a holistic and strategic approach. Senior executives need to lead on developing and implementing a security strategy that protects the entire business and brand.
If there’s a CISO on the board, they can take responsibility for improving communication across the business, as well as engaging senior level executives in the need to invest in appropriate security defences.
The cultural change required across the business also has to come from the top down. The challenge is in telling the data security story in a language that everybody will understand and agree on. Organisation-wide training and awareness programmes will effectively increase employees’ understanding of the impact of cyberattacks, and get everyone working together to protect information.
The Ponemon research revealed that companies with a strong security posture – which have invested in people, process and technologies – are less likely to see a decline in share prices because they’re better equipped to respond. Adequate investment must be made in skilled staff and up-to-date security enabling technologies, particularly enterprise wide data encryption. An identity and access management (IAM) system will enable the business to control and audit who can see what data and when.
The best approach to security is to adopt a ‘zero trust’ model, working on the basis that absolutely everything on the network – users, endpoints and resources – must be verified.
A threat response plan is also key. This should include procedures for communicating with customers, investors and regulators, and pre-assigned roles and responsibilities, which will help to drive a culture of ownership.
Data security plays a major role in protecting corporate reputation and brand value. Breaches are a business problem – and if the disconnect between IT and marketing is not addressed the organisation cannot move forward as one. The consequences of this could be serious: customers are savvy about the new rights they’ll enjoy under the GDPR, and will vote with their feet if businesses fail to meet expectations.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
comments powered by Disqus