How To Rebuild An Organization’s Reputation And Regain Trust After A Data Breach
Data breaches, whether they are suffered by Fortune 500 businesses, municipalities, government agencies, court systems, hospitals, and higher-educational institutions, have unfortunately become so common that most barely make headlines. Those that do soon drop from the daily news cycle.
But this lack of public attention doesn’t mean these breaches aren’t serious. The Identity Theft Research Center (ITRC) reports that the total number of data breaches in 2021 has already surpassed the prior year’s total by 17 percent. Close to 282 million people have been affected by a data breach.
Though the general public seems uninterested in the story, research shows organizations that fall victim to cyber attacks do face reputational damage within their industries and customer base that translates to real dollars. According to IBM’s 2021 Cost of a Data Breach Report (CDBR) the average cost of a data breach globally is $4.24 million, with 38 percent of that figure ($1.59 million) stemming from lost business-related expenses. The report defines these expenses as “business disruption and revenue losses from system downtime, cost of lost customers and acquiring new customers, reputation losses and diminished goodwill.”
Note the emphasis on reputation. Analytics and insights firm Aon’s latest Global Risk Management Survey identified damage to reputation as one of the top 10 risks facing organizations around the globe.
So what can organizations that experience a data breach do to regain trust and limit the cost of reputational damage? TalaTek believes the following four steps are critical.
- Fully determine and address the data breach cause: Pinpoint the exact cause and then adequately fix it to ensure the harm is contained. According to CDBR, compromised credentials were responsible for 20 percent of data breaches, followed by phishing (17 percent) and cloud misconfiguration (15 percent). If the organization does not come up with a sound action plan to address and correct the cause, additional damage is likely to happen. When organization leaders do announce the breach to the public, they should be sure that the problem has been addressed and mitigated. (Otherwise, this could lead to more reputational damage.)
- Notify affected parties transparently and follow data breach communication laws: If personally identifiable information is stolen from them as a result of a data breach, private firms in all 50 states are required by law to notify affected parties. Even organizations that are not required to do this should do so anyway, if only to maintain their reputations. Transparency is vital in such situations, because customers, vendors, patients, and others whose information has been stolen need to act quickly to protect their identities and their data. The more information related to the breach the impacted organization can verify and provide to them, the better. It shows both that the organization is acting to contain the breach and is taking responsibility by not hiding or omitting information, no matter how damaging it might be.
- Develop and communicate countermeasures for preventing future attacks, including establishing and following an incident response (IR) plan: Once a firm that’s fallen victim to a data breach pinpoints the cause, fixes it, and transparently communicates what happened, its leaders must develop countermeasures that will prevent a similar attack from happening. Key to this is establishing and following an IR plan—cybersecurity experts warn that it’s almost inevitable that organizations of all sizes will suffer some kind of attack. CDBR found that having IR capabilities after a breach could save a firm approximately $2.46 million in recovery spending. It’s critical that the firm communicate the action plan to the public to show its commitment to protecting data moving forward.
- Prove ongoing commitment to cybersecurity: The impacted firm must prove to the public its commitment to sound cybersecurity long after the cyber incident has occurred. This can include hosting panels and workshops with industry experts on cybersecurity best practices that the public can attend or creating marketing campaigns that show customers how much capital the firm is investing in cybersecurity and what changes it has made since the data breach to prevent a repeat.
There’s no question that data breaches will cost organizations plenty, especially to their reputations. To prevent breaches from happening in the first place, firms should invest adequate resources into cybersecurity. For more information on cybersecurity best practices, cyber risk management, and incident planning, contact TalaTek.