The real cost of hacking

With fines threatened by GDPR for failure to report a security breach, the pressure to defend your data is mounting. But the full price of being hacked is even higher

For businesses around the world, it is now a question of when rather than if a data breach happens.

With fines threatened by GDPR for failure to report a security breach, the pressure to defend your data has never been higher. But the price of a being hacked means more than money: the loss of trust has long-term repercussions.

There are volumes of research conducted by governments, universities and forensic firms alike which indicate the same trend: the organisation that you work for, regardless of size, is very likely to be impacted by a cyber-security issue. For those in management, communications or marketing roles, this is a significant reputational risk.

Businesses continue to suffer from cyber security breaches with significant financial implications, but the reporting of breaches so far remains relatively uncommon. This will likely change with the implementation of GDPR across Europe on 25 May 2018 when organisations will have to report certain types of personal data breach to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible.

Based on recent experiences of helping firms to prepare or respond to an incident, the timeframe seems likely to be a challenge.

In the UK alone, according the government’s Cyber Security Breaches Survey 2017, just under half (46 per cent) of all businesses identified at least one cyber security breach or attack in the last 12 months. This rises to two-thirds among medium firms (66 per cent) and large firms (68 per cent). Although the typical business is likely to only experience a handful of breaches in the space of a year, a minority suffer considerably more, sometimes even daily attacks.

The impact of such attacks is very real and measurable. Fifty-seven per cent of those who identified breaches also say the breach adversely impacted their organisation either to due staff time used in managing the issue or in implementing new protective measures. Breaches frequently result in a financial cost to the business, with the average UK business facing costs of £1,570 as a result of breaches. This is much higher for the average large firm1, at £19,600.

"Breaches frequently result in a financial cost to the business."

All the evidence shows breaches are happening every day, costing businesses across the world time and money. If businesses haven’t recently updated their crisis procedures or haven’t run a multi-function (including communications) cyber crisis simulation exercise, then that should be an immediate leadership priority.

An erosion of trust

But what about the long term impact on customers, employees or even suppliers? Do cyber breaches at a company materially impact trust in that business?

In another study by the Ponemon Institute and Centrify from May 2017, it is interesting to note the sizable gap between consumer expectation about the personal information they share with companies and those who are employees of businesses that handle consumer data.

Eighty per cent of consumers surveyed in this study believe organizations have an obligation to take reasonable steps to secure their personal information. However, only 49 per cent of chief marketing officers and 48 per cent IT practitioners agree. This mismatch in expectation and mind-set can be critical in terms of the speed, clarity and transparency of response particularly from an internal company perspective when bringing together the different members of an Incident Management Team.

"Eighty per cent of consumers surveyed in this study believe organizations have an obligation to take reasonable steps to secure their personal information."

The Ponemon study shows that 65 per cent of their respondents said a cyber-incident caused them to lose trust in the organization experiencing the data breach. 31 per cent say they actually took steps to terminate their relationship with the breached organization even though only sixteen percent of respondents say the data breach resulted in a criminal act such as credit card fraud or identity theft. Other studies reflect similar trends.

Trust in a company will be lost to a significant segment of customers, even if they suffer no personal impact or loss.

How can this loss of trust be mitigated, even if it appears that a breach of some sort, at some point, is almost inevitable? One important answer lies in positioning and communicating effectively both at the point of the breach as well as long after it has happened.

This strong narrative supported by evidence, as well as well-tested plans, will help organisations recover more quickly or experience less impact in terms of both trust and share price movement2 in the event of a breach.

If the response is swift, transparent and credible, and supported by evidence about what the company has done and is doing to prevent any further damage, or providing clarity as to what customers should do to protect themselves, trust may be maintained.If any of these elements is tested and concerns about competency are raised, then trust will leak away quickly, and may never return.

Questions communications directors should consider:

  • Does my leadership team or board have appreciation for the risks posed by a cyber-security incident and are they willing to invest in planning and response testing?
  • Are my crisis communications protocols “cyber proof” and how do we communicate if our normal channels are impaired or not accessible?
  • Do we have training and awareness programs in place designed to educate employees and reduce negligence?
  • Are there clear protocols for responding to a breach involving communications from the beginning, not as an afterthought? Does this include customers, supplier, regulator and employee communications, not just the media? How about social media? Who is responsible for what?
  • Do I know who the Incident Response team is for a cyber-breach? Is it the same for business recovery, or does it involve different functions? When did we last test our responses? 

1 Firms with more than 250 employees

2The Impact of Data Breaches on Reputation and Share Value. A Study of US marketers, IT practioners and consumers May 2017. Conducted by Ponemon Institue and sponsored by 8: The Impact of a Data Breach on Share Value

Ben Curson

Ben Curson is a senior corporate issues and crisis management consultant, with long-standing experience in communications across a wide range of sectors and geographies. Currently a partner at communications consultancy CNC, he provides strategic counsel to senior executives of UK and global companies and institutions, and leads CNC’s crisis and cyber work.  Having worked as a broadcast journalist and press officer at the Co-operative Group, Ben has subsequently spent most of his career in consultancy, as a partner at Penrose Financial, as group managing director at H+K Strategies London, and as managing partner at Instinctif Partners.