IT Focus Area: strategy
October 5, 2016
How the CIO and CMO Can Protect Your Brand from Ruthless Hackers
Editor's Note: Sirius and Forsythe are now one company. Sirius acquired Forsythe in October 2017 and we are pleased to share their exceptional thought leadership with you.
While hackers have always targeted customer data, they’ve recently set their sights on something much deeper than credit card numbers — they’re going after your brand itself. And it’s getting personal.
With the impact of a data breach now extending far beyond the IT department, it’s never been more critical for members of the C-suite to collaborate to prepare for the next security breach that has the potential to be more personal.
According to an Experian study, a data breach has the biggest impact on brand reputation — even greater than poor customer service and publicized lawsuits.
Recent high-profile attacks on companies, such as the attack on Sony, have shown how swiftly and powerfully attacks can impact brands — taking down companies temporarily, or even permanently. In Sony’s case, hackers shut down their network, wiped every hard drive, and held the company for ransom unless it pulled the movie The Interview from theaters. The threat sparked a nationwide fear of terrorist attacks in movie theaters. Hackers also leaked embarrassing emails that humiliated executives and ruined their relationships with movie stars and employees. And the attackers didn’t do it to steal credit card info; they had political reasons for destroying Sony and the reputation of specific executives.
Now, it’s getting personal.
The Evolution of Data Breaches
Let’s quickly review how cyber attacks have evolved over the years.
Credit card numbers (2013): The Target data breach impacted millions of Americans and brought cyber security conversations to boardrooms around the world.
Healthcare records (2014): A stolen credit card is worth less than a buck to hackers, while healthcare identities sell for $363 each. Since medical facilities are less secure than banks and retailers, hackers are going for the easy money.
Personal and company data (2015): Attacks on Sony, Ashley Madison and VTech Learning Lodge show that hackers are going after deeply personal information — crippling brands and driving them to potential bankruptcy, as well as hurting the reputations of executives by making personal emails public. In the case of VTech Learning Lodge, hackers went after a new target—children. They retrieved personal data for five million people in VTech’s database, including parents and their children. The possibility that hackers can use this information to pinpoint where kids live is particularly frightening.
3 ways CIOs and CMOs can work together to protect the brand
With security breaches making consistent news headlines and endangering brand reputations across the globe, the modern chief marketing officer (CMO) is now on the frontlines of IT security, and chief information officers (CIOs) are on the frontlines of brand protection.
Here are three things CIOs and CMOs can do to prepare for breaches and minimize brand damage:
1. Ensure that everyone understands your risks.
Security breaches aren’t just for the IT department to worry about.
With such high stakes, everyone in the company must be aware of how a single leaked email can destroy someone’s reputation and ruin your brand. And it’s not just about the company’s brand but also employees’ personal brands.
While you might have a plan to protect financial data, are you prepared if an attack becomes personal? How will you react if an attacker tries to take down your brand? What will you do if employees or customers are humiliated?
2. Make sure your crisis communications plan and security incident response plan are in sync.
A crisis communications plan helps you minimize brand damage and stabilize public opinion during a security incident. A security incident response plan can help you detect, respond to, and limit the effects of an information security event.
It is important that the two plans work together.
For example, both Target and Home Depot faced major security breaches. In Target’s case, hackers gained access to 40 million customer credit cards. For example, both Target and Home Depot faced major security breaches. In Target’s case, hackers gained access to 40 million customer credit cards. The company hesitated to report the breach, and their response created public relations (PR) issues that impacted the brand.
Home Depot experienced an even larger breach, with hackers accessing 56 million consumer credit cards. However, the company was prepared to handle the crisis and went public within a day of the attack. Home Depot’s swift reaction, coupled with other factors like news coverage and timing, led to a much calmer consumer reaction. Home Depot’s brand recovery fared better than Target’s, thanks in large part to their incident preparation and response.
Since you won’t be able to control the around-the-clock news cycle and timing of a data breach, it is critical to focus on the things you can control.
To minimize brand damage from an attack, it’s crucial that your crisis communications plan and your incident response plan are in sync.
CIOs and CMOs should discuss crisis communications with the C-suite and decide how they will handle both client and public communications during a crisis. Here are some questions to answer before you are breached:
Who will you notify internally? Do you have contact information for key stakeholders in case you need to call them at 3:00 a.m. about a breach?
Who is responsible for notifying your internal stakeholders?
When will you notify internal stakeholders about a breach?
What types of breaches require a PR strategy?
When will you make a breach public?
What are you allowed to say?
What are you not allowed to say?
It is important to note that if your company has cyber security insurance, your insurance plan may specify who can handle your PR in the event of a breach. If the wrong person handles it, your insurance may not pay the claim.
3. Add business context when planning, testing and refining your incident response plan.
Running security incident response drills shouldn’t be left to just the IT department. Marketing and business unit leaders should be included in the process so your company can identify all impacts to the company when a security breach occurs.
Here are some questions the CIO and CMO should ask to understand if their company is ready to respond to a security breach:
How can a breach potentially impact the brand?
What roles should the CMO and CIO take during a breach? What are they responsible for?
What does IT need to do during a breach? What does Marketing need to do? Is each department educated about their responsibilities?
What equipment and processes should each department test in preparation for a breach?
Do you have press releases pre-written in advance of a breach that are ready to go? What should they say?
Are you aware of the constraints in your cyber security insurance policy? Have you incorporated these constraints into your cyber security plan?
Do you have a disaster recovery plan that you can execute to run your business if hackers infiltrate your network?
Preparation is the name of the game
It’s no longer a matter of if an attack will happen, but when it will happen and how much it will damage your brand and your business.
Your ability to manage your reputation during an attack relies on how well you mitigate risks, which can be directly related to how well the CIO and CMO collaborate in advance.
If you wait until a breach occurs, you’ve waited too long.
Start to prepare for inevitable security breaches now. CIOs and CMOs should work together and educate the C-suite and the corporate board about how a breach can impact not just your security, but also your brand reputation. When everyone is aligned with a solid plan, you can quickly respond to attacks and minimize brand damage.