As more of our daily lives play out on the internet, including routine transactions, the likelihood of bad actors attempting to take advantage also increases. If the latest data-security breaches among leading businesses as varied as Clorox and MGM Resorts tell us anything, it would seem to be this: No one is safe.
Or, when it comes to matters of cybersecurity and the value of sensitive customer data, the more apt conclusion may be that there is no such thing as too big to fail. For example, Clorox – makers of Pine-Sol and other prominent household cleaning products – has reportedly already spent $25 million to clean up the mess left behind from what it has described as an “ongoing attack.” With its systems held hostage by ransomware criminals, the company was reportedly forced to pause certain operations and, in some areas, resort to manual procedures. Although Clorox resumed all aspects of manufacturing in late September, the damage had been done: the company, which experienced product shortages in the wake of the breach, expects a first-quarter earnings loss.
But what about the hidden costs for a business that is sideswiped by a cybersecurity attack? While the average cost of a data breach in 2022 was $4.35 million, according to UpGuard, the cost in lost business totaled $1.42 million. The long-lasting and cascade effects of the loss of customer trust, although much more difficult to calculate, may be just as damaging to a brand’s bottom line.
The Implications for Companies After a Data Breach
Over the years, we’ve witnessed the compromise of security at Facebook, LinkedIn and other information-based giants by major data breaches – including multiple hacks, in some cases. The material costs for those companies have not been insignificant. And in the fourth quarter of 2021, for the first time in its history, Facebook lost users. In May, LinkedIn cut more than 700 jobs. Given the other challenges those organizations have encountered, it’s uncertain precisely how much of their struggles can be tied back to data-security issues.
What seems clear is that the public doesn’t have high expectations for these businesses to keep their data safe. According to the 2022 Thales Consumer Trust Index, social media companies are among the organizations with the lowest levels of consumer trust in their cybersecurity measures. Although these information-driven companies have inarguably weathered adverse effects from data attacks against them, there may be a higher acceptance of data risk among its users. Meanwhile, service – and product-based brands such as Marriott and Neiman Marcus – which consumers may not associate as closely with the handling of sensitive client information – may suffer disproportionately in the wake of a data breach.
The figure that undoubtedly matters most, however, is this: 81 percent of customers, according to a Ping Identity survey, said they would stop engaging with a brand online following a data breach. That’s more than 4 in 5 customers – a potential company killer. So, if cybersecurity measures have already failed, and if the very existence of a business is at stake, what can be done to rebuild customer trust in the event of a data breach?
Bouncing Back from a Data Breach
Cybersecurity-attack prevention should always be a company’s first priority. Investing in effective data protection technology is more affordable and less risky than trying to recover from a breach and restore the faith of customers after the fact. But an organization should cover all its bases by preparing for the worst: create an action plan, determine how communications will be managed and identify who will be responsible for managing the recovery process. Start with this checklist and refine or add to it based on the nature of the breach and your business.
Own any data breach. Begin with prompt and full disclosure to the public. Don’t skirt the issue. Consumer trust can only be regained through radical transparency. Remember, these efforts can make or break your organization.
Be clear. Offer explicit details about what went wrong – to the extent that publicly sharing them doesn’t add to the risk of further security issues. Deep and comprehensive post-mortems can be game changers after data attacks. Think of this not as a mea culpa but your organization’s way of proving it knows exactly what happened, so that it can ensure it won’t happen again.
Maintain detailed records. Evidence of data access means everything in assessing a security breach. This information not only makes remediation easier, but also enables clearer communication with customers and authorities. Nothing erodes trust faster than vague or changing details.
Offer to help. If customers have had their data stolen, work with them – quickly and professionally – to remediate. Offer to pay for reissued personal identification, make password resets simply and consider providing free services to credit check agencies to monitor for ID theft.
Manage your teams appropriately. Assign the right people to your response team – an incident manager, cyber forensics specialist, human resources professionals, a public relations agency and a legal team that specializes in data security and compliance. Provide all-staff coaching and guidance on how to communicate about the breach if asked.
Communicate. Maintain ongoing communication with customers explaining what improvements are being made and how the organization is continuing to make data protection a priority. It takes time and ongoing investment to rebuild trust.
There is no fool-proof approach to recovery after a data breach. But a few basics give a company the best chance to recover from a security event: When prevention fails, remediation preparation, transparency and clear communication are critical. An organization can’t equivocate, shy away from difficult conversations or throw an employee or department under the bus. Once a breach occurs, a company’s best shot at earning back consumer trust is to take responsibility – in a loud, clear and detailed public conversation – along every step of the way.
ABOUT THE AUTHOR
Dan Draper is Founder and CEO of CipherStash, a data security company that utilizes groundbreaking searchable encryption technology. Dan is a lifelong coder and self taught cryptographer passionate about developing cutting-edge technology rooted in academic research. As a member of Australia’s Cyber Security Working Group to prioritize changes to data security regulation, he is passionate about ensuring that users have the knowledge and power to protect their data.