Culture & Education / When a data breach isn’t a death sentence for your brand
When a data breach isn’t a death sentence for your brand
5 April 2018
Juliette Rizkallah, CMO of SailPoint
Can a data breach help your brand? It seems like a provocative thought as we see more and more enterprise reputations tarnished by headline-hitting data breaches. But every breach has its own unique chain of causality, and it is not necessarily the breach itself but the way in which a business responds to it that will be remembered.
By now, we have all accepted that it is not if, but when an organisation will be breached. As individuals, we have become desensitised to this sort of breaking news, and we probably have all been personally impacted by one.
For an enterprise, however, after a breach it is seen as mission critical to mitigate the breach as quickly as possible. But often we see reputational damage dealt to a brand by an ineptitude communicating the damaging news to customers and the public. A data breach may not sink a brand, but its response (or lack thereof) to a data breach may well do that.
The stigma associated with a breach is not nearly as strong as it was even a few years ago. Most of the data breaches that linger in the headlines are the ones where the company’s response was questioned, and its communication criticised, as we’re currently seeing with Facebook.
As another example shows, Yahoo! took a lot of heat after its series of breaches, as it became apparent that its approach to cybersecurity had been lax. A password reset was not made mandatory, and communication was vague and untimely.
It is human nature to not want to share bad news. In the case of a breach, it is also challenging to communicate what happened, simply because the company itself may not yet have all of the necessary details.
The impacted organisation needs to investigate when the breach started, how it happened and, more importantly, what data was stolen or compromised and whether that data is sensitive, such as personally identifiable information (PII), credit card information, health records or even tax records. In many cases, companies learn about being breached through a third party alerting them that their data is available on the Dark Web.
Sometimes these third-party investigators publish the news with little notice for the company to react. And in some cases, companies will wait to alert their customers after being notified, something that GPDR will soon address.
With the average time to detect a breach being over 200 days, a further delay in notifying customers is only giving malicious actors further chances to misuse sensitive data.
So, considering all this, how can a data breach possibly help a brand?
Also of interest: Transforming security decision making
The (oositive) brand impact of a data breach
With data breaches being increasingly more common today, organisations should start looking at them as an opportunity to interact with their customers. Transparency is critical to turning what can be a very negative situation for the brand into a positive one. Even if the breached organisation doesn’t have all of the answers to the who, what, when, where and why of a breach, openly and quickly acknowledging that a breach has occurred will go a long way in maintaining consumer trust. Organisations can keep that transparency going by sharing regular updates on the forensics investigation itself and on the steps being taken to ensure a breach will not happen again.
When it comes to a data breach, it is not just about communication, but also about culture and commitment to customers. Companies that clearly put their customers first will always come back with a stronger reputation. Home Depot is a good example of this: It was extremely proactive in its response, alerting customers even before they had a chance to fully confirm the breach.
Also of interest: Preparing for mandatory breach reporting
You’ve been breached. What’s next?
There are many steps to take to mitigate and shut down a breach once it has happened, and every organisation should have a plan to respond. A crisis communication plan goes hand-in-hand with this, ensuring that while one team works on the forensics and mitigation aspect of the breach, the other team is busy communicating the details of the breach to its core constituencies.
Above all, the communication to customers and to the public should come from the executive team as this will signal that the breach, and user/customer data, is being taken seriously.
Five rules to Follow in data breach communications
To get ahead of the next data breach you may face as an enterprise, here are five communications rules to bear in mind:
- Have a communications plan in place for when a breach happens.Within that plan, you should build out various scenarios based on whether you know the extent of the breach, what information was breached and the timeline for when the breach most likely occurred. A communication timeline should be established based on the findings, with regular updates shared with various stakeholders.
- Prioritise your customers and communicate with them first.Customers are the ones who will ultimately help you preserve the reputation of your brand. Recognising and reporting a leak as early as possible to your customers is always better than waiting for them to see it first in the news. This is one of the surest ways to keep and maintain consumer trust.
- Involve senior leadership in your communications strategy.It is crucial for top executives to share the message, showing customers how seriously you take the security incident, and their data. Having the whole company aligned behind one message will further strengthen the impact your response has on customers.
- Be transparent.Let everyone know the steps your company is taking to mitigate the breach and provide regular updates online (in a blog post, for example) where customers can easily find more information about the breach.
- Communicate, communicate, communicate.The more you openly communicate on the topic, the more in control of the situation you will appear. Continue communicating well after the news headlines are publicised to show that your commitment to protecting your customers’ data is real and constitutes a significant investment.
While no company can eradicate the risk of a data breach, all companies can be proactive in how they plan for the inevitable. In doing so, organisations can actually turn a very damaging situation into a brand-reinforcing event, creating customers that will trust your brand to do the right thing when it comes to security. Brand trust is, as we all know, essential to business success – but once consumer trust is lost, it’s almost impossible to get it back.
First discussed in Forbes as part of the Forbes Technology Council.
About Juliette Rizkallah
As a marketing veteran with more than 20 years of experience, Juliette brings a wealth of expertise and pragmatism to SailPoint in her role as Chief Marketing Officer. No stranger to the world of enterprise security, Juliette leads the company’s worldwide marketing efforts, and is responsible for articulating the company vision, product solutions, technology innovations and business purpose to customers, partners and media around the globe. Juliette has held executive positions and was an agent of growth at some of the world’s largest technology companies, including Oracle, CA, Business Objects-SAP and Check Point Software. She started her career as a strategy consultant at Bain & Company and Arthur Andersen France where she acquired her business impact focus. Juliette holds an MBA from Harvard Business School and a BA from Ecole Superieure de Commerce de Paris (E.S.C.P.) in Paris, France.
Also of interest: Cyber insurance: why is it so important?