A recent Ponemon Institute study set out to examine the attitudes and perspectives of three key stakeholder populations inside a business environment: Marketing practitioners, IT practitioners, and consumers. A key objective of the Delinea-sponsored study was to understand the impact of a data breach on a company’s customers, stock price, and overall brand reputation.
Among the survey’s key findings: A data breach now outranks a scandal involving the CEO in terms of adverse impact on a company’s reputation. In fact, breaches ranked in the top three most negative events, following shoddy customer service and an environmental incident.
Consumers place a significant amount of trust in the companies they share personal data with, and they do so because 71% of them believe those companies accept an obligation to control access to it. However, according to the study, less than half of CMOs and IT practitioners agree.
Perhaps that explains why when a breach does occur, consumers respond with surprise, confusion, and anger. Sixty-two percent of consumers surveyed claim to have been victims of a data breach. Nearly two-thirds reported that the incidents caused them to lose trust in the breached organization, no doubt exacerbated by the fact that 16 percent also said that it resulted in a criminal act like credit card fraud. As a result, nearly a third took steps to terminate their relationship with the organization.
The study found companies that experienced a breach saw an increase of up to seven percent in customer churn, equating to millions of dollars in lost revenue -- a real hit to the bottom line. The lesson for IT and marketing is that customers share information with the idea that we’re doing everything possible to protect it, starting with tightly controlling access. We must live up to those expectations or our brands will suffer and we’ll lose both existing customers and the ability attracts new ones.
While both marketing and IT were in agreement that a loss of brand value and reputation topped the list of negative impacts of a breach, they still weren’t entirely on the same page: Seventy-one percent of CMOs believe the biggest cost of a security incident is the loss of brand value, while just 49 percent of IT practitioners agree.
The two groups also disagree on secondary effects. While marketing pros pointed to a loss of customers and a decline in revenue, the biggest issues for IT were recovery time, decreased productivity, and the fear of job loss. What 80% of both groups missed entirely was the impact on the company stock price, which drops an average of five percent the day a breach is disclosed.
While customers and businesses have largely grown used to the daily news of the latest breach, the impact has become exponential, wreaking havoc and financial loss. In the last year, we’ve seen a presidential election affected, a Yahoo! deal impacted by $350M, and a $400M loss in shareholder value the day the latest Chipotle data breach was announced.
This is a wake-up call for CMOs and IT professionals. CMOs have spent their careers building brand and reputation and can watch the stock and the reputation nosedive in a single day -- while two-thirds of their IT counterparts don’t believe that brand protection even falls within their realm of responsibility.
Today’s breaches are a company-wide problem, and IT and marketing professionals need the full support of the C-suite to combat them. Yet according to the study, over 40 percent of both surveyed groups do not believe brand protection is taken seriously by company executives.
A key difference between companies in the study centered around the strength of their security postures. A weak security posture is characterized by lacking incident response plans, inadequate funding for enabling security technologies, frequent turnover of security personnel, and a company culture that values productivity over security.
A strong security posture is characterized by the existence of a fully dedicated CISO, an adequate budget for security technologies like identity and access management, training programs to reduce employee negligence, and regular vulnerability assessments.
After a security breach, companies with a weak security posture lost an average of seven percent of their stock value, which typically had not rebounded four months later. Security laggards also lost more than five percent of their customer base and experienced an average revenue loss of nearly $4 million.
On the other hand, those with a strong security posture lost just three percent of their stock price, recouped those losses just seven days after the incident, and earned an additional three percentage points four months later. The security-focused companies also experienced a relatively low customer churn rate of less than two percent, which led to an average revenue loss of $2.67 million.
The takeaway is this: Companies that highlight security as an integral part of their brand story and who have implemented the most up-to-date security like identity technologies (such as multi-factor authentication) to protect against data loss will fare better with investors and consumers and will rebound from the event more quickly and more effectively. Nearly half of IT practitioners surveyed believe a strategic security infrastructure is a competitive advantage. Looking at the numbers, it’s pretty hard to refute that.