Calculating the reputational cost of cybersecurity breaches
High-profile cybersecurity breaches have hit a number of well-known companies over the last couple of years. TalkTalk, eBay and US retailer Target were among the organisations forced to admit large quantities of customer data were compromised due to cyber attacks.
Statistics from the UK government and PwC indicate that the average cost of a security breach for big businesses was around £1.46 million last year. This figure is more than double the £600,000 recorded in 2014. The breach at TalkTalk was estimated to cost as much as £35 million in one-off costs, the BBC reported.
With 90 per cent of large organisations and 74 per cent of SMEs reporting information breaches last year, it’s little wonder that businesses consider cybersecurity an increasingly important issue.
But financial costs are just the tip of the iceberg when calculating the potential aftermath of cyber attacks. How much of an effect does a breach also have on a business’s reputation? Consumer confidence can be fickle, which means enterprises may struggle to retain customers following a serious breach, even if the initial financial repercussions are limited.
The impact of reputational damage
A recent Ponemon Institute global survey of data breaches found the average total cost of a threat was US$3.79 million (£2.6 million) last year, with the UK coming in at just below this figure on US$3.72 million.
According to the data, the proportion of the total that can be attributed to reputational costs – such as abnormal customer turnover and loss of goodwill – was $1.57 million. This was up from $1.33 million in 2014 and represented more than 40 per cent of all costs.
“The growing awareness of identity theft and consumers’ concerns about the security of their personal data following a breach has contributed to the increase in lost business,” the Ponemon Institute stated in its report.
Earlier this year, the UK Information Commissioner’s Office emphasised the reputational risks that organisations face following a breach. The ICO has the power to fine firms £500,000 for contravening the Data Protection Act, which can prove a strong deterrent.
However, information commissioner Christopher Graham said the aftermath of cybersecurity failings can be much more significant. He quoted a YouGov poll that found 20 per cent of people would definitely stop dealing with a company following a breach, while a further 57 per cent would consider withdrawing their business.
“The knock-on effect of a data breach can be devastating for a company. Getting hit with a fine is one thing, but when customers start taking their business – and their money – elsewhere, that can be a real body blow,” he explained.
Is data breach fatigue a factor?
Not all research supports the assumption that data breaches can cause significant reputational damage. In fact, a 2014 Software Advice study suggested that many consumers are beginning to suffer from ‘data breach fatigue’.
Some analysts feel cybersecurity problems crop up so frequently in the media that most people are becoming desensitised to the issue. Unisys chief information security officer Dave Frymier claimed individuals have begun to feel powerless against cybercriminals, which can breed apathy.
The Software Advice research found that only 23 per cent of people were aware the eBay breach even occurred just a few months after the event. Notably, the company’s profits reportedly rose after the incident, indicating consumers were quick to forgive the online auction site.
Daniel Humphries, market research associate at Software Advice, said breaches have to be “truly massive” and involve credit card details for consumers to sit up and take notice.
“On the one hand, this is good news for companies: security breaches need not have any long-term effect on their fortunes; rather, they act as speed bumps,” he stated.
“And yet, this lack of long-term effects is also a danger. Public anger at data breaches could act as a strong incentive for firms to improve the quality of their security; in its absence, that incentive may be lacking.”
Taking the necessary steps
Calculating the true cost of reputational damage to a business is often difficult, with the research seeming to fall on both sides of the fence.
Some organisations describe the effect of data breaches as catastrophic for the company’s perception among the public, while others claim the impact may be exaggerated.
However, all the studies agree that serious breaches, particularly those involving credit card information, remain in the public conscience long after the event. The Software Advice survey found 70 per cent of people remembered the Target breach ten months later, while 58 per cent could recall a similar incident at Home Depot.
Ultimately, businesses must tackle cybersecurity issues effectively to ensure their organisation doesn’t suffer reputational costs following an attack. As threats become more sophisticated, the demand for individuals able to step into cybersecurity and technology risk roles will only get higher.
This is why cybersecurity and IT skills are becoming increasingly sough-after in today’s tech-savvy, globalised corporate environment.
Our 2016 Market Report combines our review of the prevailing conditions in the security & resilience recruitment market together with the results of our latest employer survey.
Image: Kirill_Savenko via iStock