Can breach impact be measured?

TalkTalk’s annual report is due to be published in a few weeks and many of us will expect to see the impact of the breach that took place in October last year in their year-end figures. But if there is no material financial impact, would you be surprised? Would a lack of impact add weight to the argument made by some in the security industry that there is no measurable effect on the long-term bottom line of an organisation after a security breach? What if one of the most reported security breaches in the UK has no ill effect on the company’s revenue, and the reports were another example of FUD (fear, uncertainty and doubt) used to sell newspapers, sell advertising space, and scare the public and have no substance? I think it is widely accepted that there is always a short-term effect on revenue and profitability, but what about the long-term impact?

I wouldn’t be surprised if there is little impact shown in TalkTalk’s figures as large organisations rarely see damage to long-term revenue or profitability following a breach if they survive the short term. Perhaps this fact is why the misguided argument exists; the long-term effects of breaches can be so well hidden that many security professionals dismiss them altogether.

Does a data breach really affect your firm’s reputation?

A good example of this was in the recent article “Does a data breach really affect your firm’s reputation?” publish on CSO Online. Although this article included some sensible quotes from industry professionals, there was still an undercurrent of the view that security breaches don’t impact brands and long-term revenue or profitability with one professional even misguidedly thinking that brand impact cannot be measured. However, I’m sure market researchers and brand analysts would say this is a misguided view.

The CSO Online article opens with the following statement:

“The long-held view is that breached companies are cast aside by consumers, investors and shareholders. A breach isn’t just a temporary glitch – it’s a mistake, a faux pas, which you can’t just shake off. ”

It then goes on to oppose this argument by continuing:

“However, on closer inspection, it could be argued that this reputation argument is a falsehood”.

It attempts to substantiate this point using the diagram below, showing how each of the organisations that suffered a large data breach ultimately recovered within 12 months, with an increased share price (i.e. their value as a business increased).

Source: CSO Online

I don’t want this blog post to be an attack on that particular article, which I link merely as an illustration of the wider point. But there is an obvious flaw in this argument, as it takes no account of what the potential growth would have been without the breach in the intervening period, what the expected growth was, and what the internal costs dealing with the breach were.

Growth is still seen but is it less than you would expect?

If we look at Adobe’s breach, the year before it happened it had growth of nearly 60 per cent, but it only grew by 30 per cent in the year after the attack. So is this a loss of 30 per cent due to the breach? Home Depot’s historic prices are so erratic that no real conclusions can be formed whatever your argument.

So does looking at the resulting share price really give an indication of ultimate implications of security breaches?

It is perhaps telling that the article doesn’t make any mention of the business challenges that exists when a breach is suffered, let alone the increased capital and operational expenditure. If we accept the argument that most would expect the share price to go down after such a large, well-reported, breach, we also need to know what the organisation did to ensure that the share price increased following such a significant event? How much extra effort was made by the sales, marketing, and PR personnel to avoid a drop in the share price?

Any sales  professional will tell you that if there is a compelling event, such as the loss of a customer or an account, it is very rare that there will be a corresponding reduction in their target. The same principle applies to profit-and-loss statements and forecasts; simply having a compelling event is not an excuse to turn in a bad result - it merely means that the organisation in question has to increase its efforts.

Any good PR agency will be able to cite dozens of times when it made gold out of something bad and it is all about getting the story right and managing the media correctly. The increase in share price, revenue, or profit should not be viewed as the security breach having no impact, but rather as a compliment to the commercial teams and the business as a whole.

A hypothetical example

One example is Company X ,a major high street retailer. It suffers a large breach that gained the attention of the world’s press. Fearing a slump in retail sales due to a rapid drop in footfall, the marketing and business analysis teams are called in. They knew that the brand had suffered, and that the potential for people to buy from and recommend them has dropped off a cliff (yes, these things are tracked). They needed a plan..  the business analysts know that an average customer spends approximately $60  every time they visit a store. In response the marketing teams sends every single known consumer a voucher worth $30. The customers returned, and added an additional $30 per visit to their spending. This meant that the strategy broke even in terms of short-term revenue, but more importantly they succeed in bringing their customers back into their stores and re-establish their relationship. Genius! What a strategy!

European Union General Data Protection Regulation

Part of the new EU General Data Protection Regulation (GDPR) mandates breach disclosure to the supervisory authority and where the breach, “is likely to result in a high risk to the rights and freedoms of individuals,” it must also notify the affected data subjects. As a consequence,  

Reputation

When an organisation’s reputation is called into question, whatever the cause, it has the potential to affect the share price and the bottom line.

Reputation and brand are the key things that influence both of these. Consumer confidence is a metric that is tracked and is taken extremely seriously by businesses and city analysts who operate in that space. To illustrate this, the diagram below shows the consumer confidence in TalkTalk immediately following  the breach.

Is the graph above is a true reflection of what happened to its brand?

How will its figures look at the end of the year? It’s too early to say. But if they do turn it round, as I hope they do, then will some security professionals be saying that their breach didn’t affect them? I very much doubt TalkTalk staff will have the same attitude. I suspect, rather, that it will be looking maturely at the things that went wrong and finding ways that they can improve.

In comparison, the breach of JD Wetherspoon’s systems was handled extremely effectively in terms of its PR, only raising a few eyebrows over the morning cornflakes. Even so, the company still suffered brand and reputational damage in its consumer demographic. While the breach didn’t seem to affect  its share price, it still had an impact that had to be countered to ensure that it didn’t have far-reaching consequences.

The graph below demonstrates that although the Wetherspoon brand didn’t suffer as a result of the breach, confidence among its typical customers did:

So what can we learn?

Obviously, not having a breach in the first place is the best way to avoid brand damage, but as the number of incidents increases it becomes correspondingly less likely that they can be avoided completely. The reality is businesses need to be resilient to breaches. No matter how you dress it up, reputation is nearly always affected by a security breach be it short term or longer term. But how much it’s affected, and for how long, depends on one factor: how well prepared you are in the first place.

If you manage the breach with the correct incident management strategy, have a well thought-out communication plan and take a joined-up approach to repairing any fallout to your brand, you may well reduce any long-term impact.

Summary

In summary  organisations should consider the following:

• Implement a security strategy that accepts that breaches will occur, and plan accordingly, looking at all the touchpoints within the business.
• Accept that security breaches do impact brands, and that your organisation’s brand is as important as the data or intellectual property that it holds.
• Help board members understand the security problems that exist and communicate security implications up the chain of command in terms that they can appreciate, such as the risk to share price, profit & loss, regulation and brand.
• Having a robust incident response plan that addresses what the whole organisation should do in the event of a breach, not just the technical teams. Include the PR and marketing departments in this planning stage and consider the involvement of the wider business and commercial teams.
• Accept that tactical controls are only useful when a full strategy has been determined – throwing equipment at the security challenge and keeping your fingers crossed is not a strategy.