A discussion with James Lee, Executive Vice President, Chief Marketing Officer and Director, Waratek
We frequently read about cyber-crime and most can relate to the activity in some shape or form. Most of us have been lucky to have an institution restore our money, remove a charge or replenish our miles or points.
But the numbers are alarming. According to Javelin Strategy & Research, amateur and professional hackers have successfully adapted to net 2 million more victims in 2017 over 2016 to 15.4 million victims and with the dollar amounts stolen rising by nearly one billion dollars to $16 billion. And Steve Langon, CEO of Hiscox Insurance, cited in a CNBC interview that cybercrime costs the global economy over $450 billion with over 2 billion personal records stolen. In the U.S. alone over 100 million Americans had their medical records stolen.
A natural assumption is that companies are all over security and have made it their number one priority. The reality is that most companies can’t keep up. Yet often times when consultants analyze drivers of choice in B2B purchasing, security of data and networks fall in the middle or lower half in terms of prioritization. As we digitize everything we interact with, data security concerns will touch every industry, business, and person.
We sat down with James Lee to talk about brand risk.
Have we peaked with the frequency and intensity of data breaches and attacks? No. With three months left in 2017, we’ve long since left 2016’s record number of breaches in the dust with successful attacks against Financial Institutions up 80% over last year. In many studies on purchasing preferences and behaviors, consumers don’t see the security around their personal information as the most critical driver. Generally, many people volunteer a lot of their information to many companies without realizing the risk of compromising their vital information to professional hackers and criminals.
There are literally billions of lines of new software code written every year and that code contains flaws.
What are the conditions that are driving these breaches and attacks? Everything we do now is digitized and software driven.From Mom and Pop businesses in small towns to major global enterprises, virtually every process is linked to a software application and tied to public or private websites. There are literally billions of lines of new software code written every year and that code contains flaws.Professional and amateur hackers know this and they use automated tools to find those flaws as their main entry points into organizations.
As we connect everything in- and out-of-home to our mobile devices, the entry points and opportunities for potential hackers exponentially increases. Think of the botnet attacks in 2016 where millions of wireless webcams were linked together to grind the Internet to a halt in the US. Or, consider that the Target data breach a few years ago was accomplished by hijacking the building automation system and not the code in the Point of Sale (POS) scanners as was initially suspected. The software that managed the temperature through connected HVAC equipment provided the gateway. It didn’t help that the security team monitoring Target’s network turned off system alerts because they believed the alarms to be false alerts.
With IoT taking hold across consumer communities and automation along with AI building momentum in the service and industrial space, data breaches will continue to happen more regularly and with significantly more damage and pain.
Very few B2B or B2C companies are prepared to deal with a breach and its aftermath, especially on the brand and reputation of the business.
What is the brand risk for B2B companies? There are very real threats from the attack itself and even greater risk from mishandling the communication of what happened, how the problem has been fixed and what’s being done to prevent a repeat.Very few B2B or B2C companies are prepared to deal with a breach and its aftermath, especially on the brand and reputation of the business.
According to the Ponemon Institute, it takes a hacker three to six days to break into a company’s system, but it takes a business nearly 200 days to discover the attack.It can take another two months before the problem is fixed.If the people whose job it is to defend and respond to cyberattacks have a difficult time addressing them, how can we expect the rest of an organization who have little or no awareness and experience in this area to be well prepared to react?
These attacks can be difficult to explain even to another security professional, so imagine how difficult it would be to describe a complex exploit to an angry and fearful Twitter follower when even you don’t understand what just happened.Organizations also tend to learn more about an attack over time, which means a changing narrative.It’s very difficult for consumers worried about their financial health to understand why company executives don’t have full and immediate command of all facts – especially if they’ve never heard of the company.
Consumers give B2C brands with whom they do business the benefit of the doubt. B2B companies which tend to operate in the shadows, not so much.
Those organizations, especially unknown and opaque B2B companies, that wait until a breach occurs to begin building bridges to consumers will likely find themselves the target of harsh and sustained brand attacks from all sides: consumers, employees, elected-officials, regulators, shareholders and their communities.
How do you protect your brand? One of the biggest, fatal mistakes a brand can make is failing to deliver on its core promise. One of the implicit promises is that a brand will not intentionally or unintentionally harm you. As businesses and technologies have become complex and data has become ubiquitous, breaches are an inevitable consequence. There are only two kinds of companies:those that have been breached (one or more times) and those that will be. That reality requires a different brand defense strategy than most companies employ.
A compartmentalized brand portfolio could help mitigate against events that compromise customer information. A brand halo can help efficiently spread brand equity, but the opposite can hold true as well. And often it’s the smaller, inconsequential business that can take a whole company down. But most importantly, brands need to be incredibly vigilant in protecting customer information and not just ensuring a good experience 99% of the time.
No matter what the brand structure or prioritization of security, transparency is part of the cure. The more a brand explains the unique dynamics of their business BEFORE a breach and effectively communicates afterward, the more understanding consumers will be. Those organizations, especially unknown and opaque B2B companies, that wait until a breach occurs to begin building bridges to consumers will likely find themselves the target of harsh and sustained brand attacks from all sides: consumers, employees, elected-officials, regulators, shareholders and their communities.
From your experience, what are some key actions a company should take when a breach or attack happens? At a minimum, there are three key actions that affected brands should take:
• Isolate and fix the problem so that you can reassure your customers that you have things under control.Do whatever it takes to fix the underlying issue.If your system alarms protecting your data trigger constantly, don’t just turn off the alarms. If you need a new technology, get it. If it’s a process problem, come up with a new one.Allowing a breach to occur once can be career ending.Allowing the same attack to succeed twice is a business extinction event.
• Communicate often with absolute clarity and humility. When a breach happens, own up to it. Disclose all that you legally can and if there is information you cannot disclose, explain why you cannot. It may be difficult (even unnatural) to admit your faults in public, but consumers will respect you more for it and you will emerge a stronger company.
• Do the right thing even if it will cost you money in the short-term. Doing what’s right distinguishes a great brand from a company with a good corporate identity. Scrutiny from a breach will not pass quickly, but companies that take the opportunity to improve themselves will successfully shift from a poster child for poor practices to a leader that understands its duty to protect your personal information. The brands that chose to fly under the radar may get lucky once, but sooner or later, they will encounter a breach that can take down the entire company.
The old paradigms for staying relevant are gone. Is your strategy built for the future?