BY SKYLIGHT INTELLIGENCE CORP.
One of the biggest hacks in history happened last week related to the Under Armour MyFitnessPal mobile app. The most shocking part? The general public barely took notice. The Under Armour (UAA) stock only dropped from $16.66 to $15.91 after next opening bell, and news stories about the event had less than 500 shares on social media. It was a news story with minimal reputational impact.
Which begs the question: when does a data breach actually matter?
Looking at cyber risk through the lens of reputation management might help organizations prioritize their investments in cyber security—especially as you consider what information in data centers would impact your organization’s reputation if it were broadly released.
Here are three important questions to ask when assessing cyber risk.
1. How could cyber security impact my brand’s differentiators?
Organizations position themselves to stakeholders through direct messaging as well as through their policies and actions, setting certain expectations of the brand. For example, Ashley Madison promoted privacy and/or security as part of its brand differentiators, making its 2015 cyber security event, in which the data of millions of users was released by hackers, an obvious break with consumer expectations. Apple also built up consumer expectations of privacy when it took action to fight the government over unlocking an iPhone.
If a brand establishes differentiators of privacy and security, breaking those expectations can lead to serious repercussions that have a long-term impact on the brand. For example, Uber broke consumer trust when it was discovered that the Company was not just tracking users from point A to B, but even after they stopped using the app. Uber’s initial messaging that stated “everyone’s private driver”, assumes a luxury brand with a service similar to a black car, but even a taxi would stop following you after you exit the cab. This event, along with a series of other recent mishaps, has made Uber lose market share to other companies like Lyft.
Looking at your brand messaging and actions, you should be ready to defend any data exposure or impacts to your stakeholders’ privacy that run counter to your differentiators.
2. How will data exposures impact my key stakeholders?
Most organizations have a fundamental stakeholder(s) that provides most of its funding or revenue. Your key stakeholder(s) is typically based on your business model (e.g., B2B, B2C or B2G). Cyber risks that involved data exposures or impact the privacy of this key group need to be prioritized above others, since they could impact the financial position of your organization.
While this consideration may seem heartless, Equifax has proven this truth to be self-evident. Equifax went from $143 per share to $93 per share in the days following its 2017 announcement of a data breach involving over 140 million consumers; however, the Company stock has rebounded to almost the same price that it was last year, making the long-term impact appear minimal or as Seeking Alpha called it, “Much to Do About Nothing.”
This cyber event had no long-term impact because the data released was not related to its primary stakeholder group of bankers and merchants as B2B companies. Consumers—while terribly impacted—also had no recourse other than lawsuits to take direct and real long-term impacting actions against Equifax, making it a short-term concern.
3. What is the historical reputational impact of data release?
Given the unfortunate history in cyber security events, organizations now have several case studies to consider when assessing the risk of data sets.
For example, you could argue that the security of credit card and basic personal data has limited impact to an organization’s reputation. Target and Yahoo! had credit card and contact data information stolen, but beyond lawsuits and security changes, topline revenue for these companies did not change, so it resulted in almost no change to consumer behaviors. Perhaps, it’s because personal data is becoming readily available online from companies like Spokeo. Or maybe, credit card breaches have no direct financial impact to consumers, since credit card companies cover most of the illegal transactions.
In comparison to the Sony email hack, internal documents and personal emails might be more important to secure, since they could lead to long-term reputational damage and future assets. Similar to the Uber example mentioned above, this data may contain information that counters or does not align with a brand’s differentiators and/or overall reputation. In this case, the data could be more harmful than basic data already accessible online.
With cyber security breaches increasing in frequency and size over the past few years, organizations need to think of the issue as a threat far beyond technology. A cyber threat or attack is very much linked to the reputation of an organization. Decision-makers with oversight of the organizational reputation or response to crisis events need to take notice, be prepared, and even rehearsed, to a certain degree, to manage cyber risks from a reputation perspective.
NOTE: Data breaches themselves have a direct and often immediate cost that should not be ignored. IBM estimates $3.62M as the average total cost of data breach and $141 as the average cost for each lost or stolen record. Therefore, every organization needs to prioritize its budget for the protection of information with a potential reputational impact as breaches of such data have proven to have a longer-term impact.