Data breaches and trust: what can the CISO do to manage reputational risk?
When the Information Commissioner’s Office (ICO) laid down its recent judgment, imposing significant fines upon Marriott and British Airways (BA) for data breaches as part of the GDPR, it sent shockwaves through the media. It was headline news, and all anyone could talk about for weeks.
Data breaches can happen to anyone. And when you fall victim to an attack, it is going to be a painful experience that involves you identifying what’s been stolen, notifying the ICO to the breach, and then explaining the situation to your customers.
But the really interesting thing about data breaches is…
One of the biggest effects a security breach has on your organisation is the reputational damage it causes to your brand. By failing to adequately protect your customers’ most precious possession, you broke their trust.
And Deloitte agrees. It claims that security risks, including both physical and cyber breaches, are the most frequently noted cause for reputational risk.
The reality is that any damage to your company’s reputation can have a lasting and dramatic effect on its financial health, from reduced revenue, to lost shareholder value.
Reputational risk is sometimes overlooked
According to research from Aon, when assessing the impact of 50 different organisational risks, ‘damage to reputation and brand’ is ranked second.
Because reputation lies in the realm of brand, trust and customers, it can be overlooked by teams outside of marketing, sales or customer success.
But the reality is that it is an important part of the CISO’s remit.
Every organisation is exposed to sophisticated and deliberate data breaches
Hackers with enough intent can usually find a way to exploit the slightest vulnerability within your IT infrastructure.
The challenge that a lot of organisations face is that they don’t know what data they’ve got. Up to 85% is considered ‘dark data’(of unknown business value) or Redundant, Obsolete or Trivial (ROT). And it is this data that is at risk of theft in a cyber breach, because if you don’t know what you’ve got, you can’t secure it.
Data discovery and compliance software is a powerful and vital tool for any CISO looking to ensure the security inside their data estate is as tight as possible. By not only securing the perimeter wall, but everything held within your data estate too, you can prevent a data breach becoming a reputation-ruining event.
In the case of BA and Marriott, we believe the fines imposed upon them were not as severe as they could have been. In both cases the organisations were fined approximately 1.5% of turnover. We believe that when the ICO investigated, it found that the two companies’ data estates were clean on the inside, and they had taken steps towards protecting personal data.
It starts with a simple snapshot
If you can identify what data your organisation holds – including the 85% of data that lies dark within your estate – you can then categorise, move or delete this data at scale.
By ‘spring cleaning’ your data estate, it’s going to ensure your organisation remains secure and protected.
Which assures regulatory compliance, mitigates the risk of reputational damage in the event of a breach. And ultimately impacts your financial performance.
Then once your house is in order, you can automate the way your data protection policies are enforced. Now your infrastructure will alert you when people deviate from the rules, which prevents sensitive data ‘escaping’ within your estate, lying unstructured, undiscovered and leaving your organisation exposed.
This isn’t just security
It’s your role within the organisation to ensure that your technology, people and processes are up to the job of maintaining high security standards. But in doing this effectively, it has the positive knock-on effect of mitigating the risks associated with reputational damage.