From Wonga to Debenhams Flowers, the roll call of well-known UK firms suffering a data breach grows on an almost weekly basis.
The impact of a breach can range from disruption of services to far more serious reputational damage, loss of business and financial implications.
Loss of brand value
In a recent survey commissioned by Centrify and conducted by Ponemon Institute, the majority of CMOs in the UK admit that the biggest cost of a security incident is loss of brand value. A data breach is potentially more damaging to a company’s reputation than more ‘traditional’ PR disasters like a product recall, an environmental incident or even a scandal involving the CEO.
So while the prospect of a serious data breach is keeping senior marketers awake at night, there seems to be something of a disconnect between the priorities of the IT department and the marketing teams. CMOs and CISOs are not talking to each other enough about the issues – at a time when brand value has never been more important.
The Ponemon study shows that there is little agreement between IT and marketing about who is responsible and how to respond. 71% of IT practitioners don’t see brand protection as their responsibility, despite 43% admitting a cybersecurity incident or data breach would harm the brand value of the company. Yet, more than two-thirds (65%) of senior marketers believe the IT department should take responsibility.
The marketing department also allocates more of its budget to brand protection; with 42% of saying a portion of their marketing communications budget is allocated to brand preservation, and 60% saying that their department collaborates with other functions in maintaining brand value. This compares to less than one in five IT practitioners allocating a portion of their IT security budget to brand preservation – and just 18% collaborating with other departments.
Clearly marketing and IT are working in silos, failing to communicate properly and agree a way forward when it comes to the bigger picture – protecting customer data and brand reputation through better security.
Admittedly, more geeky individuals who tend to lack those wider communication skills have run IT in the past, but marketing is known for being represented by good communicators and more outgoing people, so the challenge is in telling the data security story in a language that everybody will understand and agree on.
One thing that both functions agree on, however is that brand protection is not taken seriously enough by senior-level executives within the business – a criticism that is often raised about the C-suite and security. More worrying perhaps is that 70% of IT professionals do not believe their companies have a high level of ability to prevent breaches, although most CMOs (58%) are confident in their company’s resilience to weather a breach.
With the General Data Protection Regulation (GDPR) less than a year away, the storage and security of customer’s information is top of mind right now for anyone holding data on individuals residing in Europe. If IT professionals and marketers are not aware of their obligations as a business under this regulation, then they need to be.
Certainly from our research, we found customers’ expectations for the security of the personal information they share with companies was higher than the CMOs and IT professionals’ sense of responsibility. More than three-quarters of UK consumers (79%) believe organisations have an obligation to take reasonable steps to secure their personal information, however just 64% of CMOs and 66% of IT practitioners agree.
This gap between consumers’ expectations and the perceptions of IT and CMOs about how personal data should be safeguarded doesn’t end there. Less than half of CMOs and IT practitioners believe their company has a responsibility to control access to consumers’ information. Yet, 73% of consumers believe they do have an obligation to control access.
Given that brand, reputation and customer loyalty (and loss) are so interconnected, it’s surprising and concerning that those people perceived to be responsible for protecting a customer’s personal information do not accept and admit those responsibilities.
To increase confidence, companies need a strong security posture that includes an effective data breach response plan. But to start with, these organisations need to close the gap between different functions within the business, encourage teams to talk to each other, while ensuring the Board is actively engaged in order to be prepared for the eventual security breach. It’s a case of when, not if.