There's a practically endless list of potential threats to your company's reputation: unhappy customers, disgruntled employees, nefarious competitors, PR blunders, and employee or executive misconduct. But have you considered how dangerous security threats are to your company's reputation?
Security risks, especially when they impact your customers, can have a seriously damaging impact on your reputation. Companies that experience problems with security may be seen as weak, unprepared, irresponsible -- and most damaging of all: untrustworthy. These serious issues can shake confidence in your company, affecting your reputation and relationship with consumers, investors, partners, and more.
We asked security experts to identify the security issue that is the single largest threat to a company's reputation, and we were surprised to find that they were nearly unanimous in their votes. By far, security experts believe that data breaches are the biggest security risk that threatens a company's reputation. We'll explore what makes data breaches so damaging, how businesses can protect against them, and also share other important security considerations and protocol that any business with a reputation to defend can't afford to ignore.
Why Data Breaches are Your Company's Most Crucial Reputation Security Threat
When we asked security experts about the single largest security risk that impacts reputation, nearly every one of them told us they see data breaches as the biggest threat. It's not difficult to understand why: we've seen plenty of reputation disasters due to data breaches over the past year, most notably Target's $148 million data breach. Data breaches put customers on edge: they expect that when they share personal information or credit cards with a company, there are effective protocols to protect that information. When that data is breached, so is customer trust and company reputation.
"These are issues that American consumers care about," says Kevin Ptak, Mako Networks global communications manager. "One recent study found that Americans are actually more concerned about card fraud than terrorism. And for good reason, too; nearly half of all US adults had some aspect of their personal details, like credit card numbers, email addresses or social security numbers, compromised in hacking incidents last year."
Though most data breach incidents in the news focus on credit card information, financial data breaches aren't the only threat. "A broad-based breach of any kind, particularly any breach where the remediation strategy involves forcing large numbers of customers to reset their passwords or take some other action, is the biggest reputation threat," says ForgeRock vice president of innovation and emerging technology Eve Maler.
Any organization that transmits sensitive information is at risk of a reputation-devastating data breach. "For healthcare and enterprise business, security and compliance issues are an ever-present threat," explains Paul Banco, CEO of etherFAX. "Our clients are bound by HIPAA, PCI and SOX compliance laws that make data breaches detrimental to their businesses and their customers."
Data Breach Damage: Reputation and Beyond
Data breaches target much more than just finance, and data loss can be even more harmful that compromised credit card numbers. "Hackers can get personal information from you, your employees and your clients if it isn't secured," says EZSolution IT manager Brad Roth. "You can lose tons of data that will cost a lot of money if you don't have the right backups in place, and any data that you have on your site could be breached if you aren't up to date and monitoring everything to be secure."
The consequences of a data breach can be devastating. "These are messy incidents for the companies involved, with plenty of unsavory headlines, lawsuits, angry customers, and upset shareholders to assuage afterward," says Ptak. "When a consumer does have their card details breached, two-thirds say they hold merchants accountable for the loss. That accountability shows up in increased customer churn, which also grew last year. Consumers vote with their feet and their wallet, taking their business elsewhere. That’s why 60 percent of small businesses that suffer a data breach event are out of business six months later."
Maler points to the Target breach as one with a dramatic affect on corporate reputation, not to mention profits. "Target's 2013 holiday-season business suffered measurably, and its long-time CEO even resigned over the breach -- a first," she says. Though it was nearly a year ago, Target continues to feel the lingering effects of their data breach. The retailer experienced a 46% earnings drop after the data breach became public, Ptak reports, and it paid out $148 million in breach-related costs in the last quarter and lowered financial guidance for the quarter ahead.
The public continues to grow more sensitive to the hot topic of information security, and consumers are very aware of the risk of identity theft. That's why Chris Camejo, director of assessment services for NTT Com Security says that any sort of breach that makes headlines will affect a company's reputation. And for companies that have experienced a breach that includes consumer information, there's practically no hope that the incident will fly under the radar. "Breach disclosure laws almost guarantee that any incident involving consumers’ personally identifiable information will be publicized eventually, but in most cases companies don't even have the chance to manage their own initial disclosure: over 2/3 of breaches are spotted by third-parties before the victim knows they’ve been breached," says Camejo.
The Risk of Data Breach Grows -- Especially for Small Businesses
Even more troubling is the fact that data breaches, especially financial ones, simply won't stop. These types of security events are on the rise worldwide. As such a tempting target for thieves, of course they are: "Cyber crime is a business estimated to be worth about $400 billion, so there’s plenty of profit to be made for the fraudsters," says Ptak. "And despite the many recent headlines about card data breaches, many companies—both large and smaller businesses—are still struggling to properly protect card data."
Big fish like Target aren't the only organizations at risk for data breaches. In fact, Ptak believes that smaller, less well-defended targets like small and mid-size businesses have a growing risk of card data breaches. "One study found nearly a third of all data breaches last year occurred at businesses with 100 or fewer employees," he says.
This growing risk boils down to the fact that smaller businesses aren't doing well meeting security obligations, says Ptak. He points out that more than a third said in a recent study that they either didn't know about or weren't compliant with the PCI DSS, a special set of security guidelines created to protect card data.
"Target is a major company with deep pockets," says Cyber Insure Solutions cofounder Michael J. Carey, Jr. "What happens to a small business that experiences direct losses from a hack, plus potential lawsuits from its business partners and the government?"
Internal Security Affects Data Breaches
Globalscape CEO and president James Bindseil points out that while external breaches get a lot of attention, the biggest threat to IT security is often internal. "The Ponemon Institute recently did a study and found that more than a third of all data breaches are caused by unintentional internal error," says Bindseil. "As one example, for their own convenience employees continue using familiar and easy-to-use consumer tools, like personal email and third-party file-sharing sites, to move confidential work files every day, putting their organizations' reputation at risk."
For example, a recent Globalscape survey of more than 500 professionals found that over 60 percent of employees have used their personal email to send sensitive work documents in the past 12 months -- and 74 percent of those employees believe that their companies approve of this type of file-sharing behavior.
These actions may seem innocent to employees, but they can open organizations up to disastrous results. Bindseil shares an example from a hospital in San Diego: "Employees (twice!) emailed protected health information to job applicants by mistake. This caused over 20,000 patients from the hospital to receive HIPAA breach notification letters." These violations don't just cost organizations in fines and legal expenses -- they're damaging to their reputation, and can even affect accreditation in the future.
How Organizations Can Fight Data Breaches
It's clear that data breaches are a major threat to both security and reputation for businesses and organizations both small and large. By now, most companies are likely to understand that data breaches can be devastating, and that they should do something about it. But many may not understand exactly how to do so.
For Camejo, the first step in defending against data breaches is understanding that they can and will happen. "The number one lesson that needs to be learned is that companies can not simply try to keep the bad guys out of their networks," he says. "Between stockpiled zero-days, phishing attacks, sophistication of attackers it is almost guaranteed that a determined hacker will eventually break into a network. We must move beyond trying to build a secure perimeter to keep the bad guys out and turn to a defense in depth model that allows us to slow down an attacker who has gained access to the network and take steps to stop him before he can compromise sensitive data."
Camejo suggests that this can be achieved by segmenting networks: isolating sensitive data so that even when an attacker has breached the network, there are more security barriers to break down. He says it's clear this kind of protocol was not in place when Target was breached. "The attacker was able to pivot from a compromised third-party HVAC company all the way to retail point-of-sale terminals (showing that internal segmentation was missing or ineffective) and then exfiltrate the stolen data to the Internet over the course of weeks (showing that the detection and response capability was ineffective)," he says.
He also warns that human error is another important factor in preventing data breaches. "Though Target invested $1.6 million on FireEye’s network monitoring software prior to the breach and that this tool did actually detect and alert on the ongoing attack, it was the human operators who considered the alert a false positive and ignored it," says Camejo. "Network security systems are only as effective as the people operating them and too many companies rely too heavily on flashy tools without providing enough human support around them."
Ptak identifies the Payment Card Industry Data Security Standard (PCI DSS) as "perhaps the single most important step a company can take to both reduce their risk and limit their liability of a card data breach event." The PCI DSS is a set of security practices, policies, and procedures developed by the major credit card companies to fight cybercrime and card fraud.
But, says Ptak, PCI DSS compliance is a major undertaking and companies may not have the technical requirements or expertise to comply. Ptak recommends working with vendors that are fully PCI-certified, and encourages merchants to always ask vendors and partners to produce evidence of their PCI DSS compliance status.
Further, Roth encourages e-commerce sites to strongly consider using a third party service to store credit card information. This service should be PCI DSS compliant, and protect you from liability in case of a data breach.
To fight internal data breaches, Bindseil encourages organizations to provide secure solutions that employees can easily integrate into their daily routines. "Employees now expect instant access to information, and the ability to send and store files in a few simple clicks," he explains. "When internal technology and tools come up short, employees will find a workaround, making speed, simplicity and mobile access critical for any security solution."
"The right combination of people, processes, and technology is the key to reducing enterprise security threats," Bindseil notes. "Although employees may be the ones mishandling data, it’s up to the IT team to ensure that workers are educated on the organization’s policies. By clearly communicating the risks of unsecured data and working with employees to provide a solution that is simple for them to use, but effective against attacks, the IT team will help ensure the safety of their organization."
Carey supports the use of multiple safeguards, with technology, procedures, and training, and as a final coverage, comprehensive cybersecurity insurance. Carey notes that most traditional insurance policies do not cover cybersecurity, and even companies with basic cyber insurance may find that they aren't covered for additional or "expanded" cyber threats that lead to the theft of funds, bodily injury, physical damage and property damage.
Additional Reputation Security Concerns
While data breaches are far and away the security threat that keeps our experts up at night, they aren't the only security problems that can have an impact on the reputation of an organization. Malware and cyber intrusions, account hijacking, and social media identity theft are also serious security concerns that can be embarrassing -- and incredibly damaging -- for your company's reputation.
Company Computers at Risk
AEGIS FinServ president Jim Angleton warns against unprotected or poorly protected company computers with outdated firewalls and software. He points out that malware and cyber intrusions that can get through on unprotected computers are very stealth, and users may not realize their machine has been compromised. And individual computers can lead to the compromise of entire servers with extensive information that can be exploited.
What's at stake with malware and cyber intrusions? Angleton points to personal or corporate data codes sold on the black market, and even hackers that may change login information and request ransom money to allow the company to regain control and access to computers or servers. Ransoms or stolen codes do not instill confidence in consumers, investors, and partners, and can send a signal to others that your company is not in control of important protocol.
Angleton recommends that clients fight these security threats by taking the following actions:
- Maintain updated software and anti malware
- Do not post passwords in mobile or application files in full form; always leave a _ blank in case your data has been compromised
- Google your name and company name weekly, conduct a similar review on social media, and use botnets if you know how to
- Always respond to disgruntled patrons or former employees as a formal reply adjacent to online complaints to demonstrate your vigilance plus willingness to correct information
- Disconnect computers from the Internet when not in use so that latent bugs do not wake and try to report stolen/compromised data to exit your computer back to hackers
- When making purchases online, request your bank assigns you a single use online account number
- Change login passwords each month
- Hire trusted IT consultants who can perform these actions for you -- but conduct due diligence on them to ensure professionalism and reputation
When a hacker gained access to the Association Press Twitter account and made a fraudulent claim that President Obama had been injured in a White House attack, the Dow Jones dropped 128 points in a matter of seconds. Though the Dow bounced back nearly as quickly when the hoax was revealed, this incident illustrates just how important account security can be, and how much of an impact it can have on confidence and reputation.
Personal security and identity theft expert Robert Siciliano warns that no one should shrug off account hijacking as a problem reserved for high profile organizations like the Associated Press. He insists that it can happen closer to home, too. "Fraudsters may send your employees Twitter messages on their workplace computers that are designed to fake the recipients into thinking they’re receiving authentic messages when, in fact, the fraudster’s motive is to get money or sensitive data," explains Siciliano.
He also points out that a hacker could take your business' name and use it for nefarious purposes. "Someone could crack your password, take over an account and cause a trail of destruction," says Siciliano. "Or they could create a new account using your business' name and post all sorts of alarming, but false, things about your company.
To combat this risk, Siciliano recommends that companies constantly monitor the web for spoofed sites using stolen or similar likenesses or logos. Businesses should also use careful protocols, like developing (and regularly changing) secure passwords for all accounts, and not allowing employees to access personal social media on company computers or mobile devices, especially if they're responsible for company social media accounts.
Expert Recommendations for Protecting Your Company from a Cyber Attack -- and a Compromised Reputation
With such serious security risks threatening every organization's reputation, it's clear that companies can benefit from tight security. And we've seen that even companies like Target that may think they have security under control still have serious room for improvement. How do security experts recommend that companies protect against security threats and compromised reputations? Read on for their recommendations:
- Give security the attention it deserves: "When a company's reputation is at stake, it's a grave error to treat security as a mere compliance checkbox," says Maler. Perhaps the most important step to better security is realizing that it's likely you can always do better.
- Get help from customers: Maler recommends instilling confidence and better security simultaneously by getting customers involved. "Better security doesn't have to impose new inconveniences on customers if you weave contextual factors into user interactions, such as treating the use of previously unseen devices or surprising combinations of time, place, and task as more suspicious," she says. "You can even ally with your legitimate customers to be on the lookout for bad actors by letting them configure the ability to receive notifications of account activity as it happens."
- Secure networks, no matter what: "Whether you're 500 employees strong or just a two-man operation, it is always important to work over a secure network," insists Vysk Communications CEO and cofounder Victor Cocchia. "In the office, Wi-Fi connections should be placed behind the company firewall. When mobile, always use a Virtual Private Network (VPN) connection when signing in to any outside or unknown Wi-Fi system. You can setup your own VPN for as little as $199." He recommends that instead of using public cloud services like Dropbox or Google Drive, companies should utilize VPN and private servers.
- Make customer privacy a priority: Cocchia recommends that companies implement and enforce robust privacy policies and practices. This includes Secure Sockets Layer (SSL) certificates, and policies against discussing or transferring data like passwords, company financials, and credit card numbers over non-secure channels such as email, text, or Skype.
- Add multiple layers of authentication: Missouri University of Science and Technology professor of computer science Dr. Sanjay Madria encourages organizations to think beyond login and password access. He points out that many companies still use only one level of authentication, and while many are now adding multiple levels, they still have a long way to go.
- Boost employee security training: Employees are often the first line of defense (or access) for hackers. Roth shares that businesses need to educate employees. After all, security tools are only as good as the people using them. "Tell employees to not open up shady e-mails, or to hover over any links to make sure they are going to the right place," says Roth. "Don't download attachments and files from e-mails you are not aware of. When you are online, be sure to only visit safe sites and always have your antivirus and firewalls up to date."
- Insist that company devices remain secure: SystemExperts consultant Jason Rhykerd points out, "It is not uncommon these days to walk into a small shop/office where the employees are surfing the Internet, checking Facebook and their personal email, on the same system that they will swipe your credit card on when you check out." This is clearly a security risk -- and one that must be contained.
- Use adequate firewalls to protect sites: Roth warns that a free software firewall is not enough. Major firewall protection should be used, and it's important that patches are installed and up to date on all of your servers. Roth also encourages companies to keep as much information disconnected from the Internet as possible.
- Don't overlook the basics: Rhykerd encourages companies to not forget about basic security protocols. He insists that companies need to cover basic but essential issues like end user awareness, strong passwords, how to spot phishing/vishing attacks, disabling/filtering unnecessary services, patches, the concept of least privileged, and change control.