BitSight, the Standard in Security Ratings, has announced the availability of a new study that evaluates how executives understand and effectively measure their cybersecurity performance and adequately communicate it to the board, senior executives, customers and critical stakeholders. The September 2019 commissioned study conducted by Forrester Consulting on behalf of BitSight titled, Better Security And Business Outcomes With Security Performance Management, indicates that cybersecurity performance is critical to achieving commercial success. Among the study’s most interesting findings is that nearly two in five (38%) of enterprises admit they have lost business due to either a real or perceived lack of security performance within their organisation.
Intelligent CIO Europe spoke to industry experts to explore the damage a poor cybersecurity approach can cause to a company’s reputation going forward.
Paul Farrington, EMEA CTO at Veracode: “Reputation is an immeasurable asset to any company. A survey by Gemalto of 10,000 individuals found 70% would stop doing business with a company that had experienced a data breach. Not only does it increase sales and aid with employee retention, it also impacts a company’s valuation and plays a vital role in the level of customer trust created through a brand’s identity.
“A data breach can represent a critical failure of trust among investors, employees, partners and customers. With approximately 30% of all breaches occurring as a result of a vulnerability at the application layer, software purchasers are demanding more insight into the security of the software they are buying.
“As cyberattacks increase, there remains a lack of training on secure coding that can help companies mitigate against vulnerabilities that can lead to breaches. We also need to educate companies on how they can reduce their security debt and that they are within their rights to demand the security of software they are interested in purchasing. After all, the software supply chain in use at any company represents significant risk.
“Although cybersecurity incidents make headlines daily, companies still aren’t doing enough to act on vulnerabilities that could be detrimental to their reputation. Only 58% of businesses have taken action towards implementing five or more of the government’s 10 Steps to Cyber Security. In a GDPR world in which the average business is aware of data security best practices and look to partner with businesses they trust to help them prevent attacks, it is vital companies have the ability to demonstrate verifiable processes they take to secure their software.
“According to a report by Bitglass that analysed the top three breaches of the past three years, publicly traded companies suffered an average drop of 7.5% in their stock values and a mean market cap loss of US$5.4 billion per company. In addition, it reportedly took 46 days, on average, for those stock prices to return to their pre-breach levels. To date, the stock price of Equifax has not yet recovered from its breach.
“Another example we can look at is the disastrous fall out from TalkTalk’s 2015 data breach. Not only did the attack cost the company £60 million, according to reports by The Guardian, but the public nature of the attack paired with the apparent ease of the attack itself sent customers to social media in droves to complain about the breach and resulting loss of service. Kantar Worldpanel ComTech suggests TalkTalk lost 14% of its customers in the year following the attack.
“No matter how sophisticated your security posture is, everyday cybercriminals find new ways to launch attacks. Companies need to be prepared to act when a breach does occur by following best practices, including taking steps to make their code as secure as possible. The way a business proactively prepares to prevent a data breach directly impacts the reputation of a company, not only in the eyes of the customer, but also prospective customers and even employees.
“Take the recent Capital One breach – many initially compared it to the infamous Equifax breach, yet there is a key reason as to why Capital One’s reputation hasn’t been impacted to the same extent. Capital One has a working responsible disclosure process. Once the organisation was aware of the breach through its disclosure process, Capital One alerted the FBI, fixed the vulnerability, and the suspect was arrested. All of this happened within 12 days.
“Cybersecurity risks are rising, but organisations that have a swift, organised risk management approach after an incident will definitely help mitigate the extensive reputational damage we so often see.”
Joe Schorr, Global Executive Services Director, Optiv: “Companies can be hit hard by security breaches. It’s common for stock prices to drop after losing the trust of investors and customers. Even if share prices eventually rebound, there is evidence to suggest the long-term reputation will be severely affected. It seems that experiencing a breach as a result of poor cybersecurity practice will not only damage a company’s short-term standing, but could even lead to future downturns.
“An increasing number of deals are being abandoned or re-valued due to cybersecurity issues. Most involve organisations performing appropriate due diligence where they discover breaches and other cybersecurity issues before closing the deal. In cases where such due diligence is not being performed, or being performed in a perfunctory manner, we also see headlines about after-the-fact cybersecurity issues triggering compliance violations and enormous unplanned remediation costs. These situations quickly turn good deals into bad and could lead to liability issues for directors and officers.
“In addition to the financial impact of a cyberattack, other non-financial impacts are also inflicted following poor cybersecurity practice. For example, if cybersecurity policies are not being implemented correctly, this could lead to inefficiency, as staff are unable to do their job properly, slowing the business down and resulting in dissatisfied customers.
“Ideally, an individual business’ requirements would be the key motivator of its approach to digital security strategy. But, for the vast majority of businesses, reacting to threats is the main driver of action. Due to constantly changing legislation, objectives and external factors, we find that security remains largely a reactive practice. Which, in turn, leads to woefully underprepared staff and systems.
“As long as cybersecurity strategy is being heavily shaped by an outside-in approach, a reactive approach instead of a proactive one, we’ll continue to see negative repercussions for companies. Instead of business aspirations, emerging threats and technologies are driving strategy, leaving businesses searching for the right patch, tool, or system to block that threat. This approach leads to bloated infrastructure and inhibits IT decision makers from stepping back, simplifying, integrating tools and creating a truly future-thinking strategy. With all these factors at play, the risk of a cyberattack is heightened.
“While businesses have been slow to embrace cybersecurity as a top-tier risk, it must be noted that it is never too late for a company to recuperate from the effects of poor cybersecurity practices and bounce back as leaders in their industry. But, if customers and investors note that a company is not taking on board teachings from previous cyber breaches, or the business leadership is not listening to IT staff and adopting a proactive, inside-out approach to security, this will hinder them in the long run.”
Shani Latif, Sales Director at telent: “In today’s digital world, technology is an integral part of our day-to-day lives, particularly in the workplace. While the benefits of technology innovations are clear, they also come with risks. When assessing the cybersecurity risk, it’s no longer a question of when these lines of communication will be compromised or threatened, but when.
“Poor cybersecurity can lead to hacks, breaches and data losses. In the face of a cyberattack, this is just the beginning and any breach will lead to significant negative publicity and reputational damage, including substantial financial losses. A recent high-profile example is British Airways, which is facing a fine of £183 million for a data breach that revealed names, addresses and credit card details of around 500,000 customers. In addition to the fine, the airline will face costs incurred from improving its security systems, dealing with the breach and damage to its brand and reputation.
“Cybersecurity breaches such as this are becoming more commonplace in newspaper headlines. Customers are also more cybersecurity-savvy and aware of the associated risks, both in their private and business lives. Consequently, the reputation risk of poor cybersecurity is an increasingly important factor when choosing a provider or supplier of goods and services.
“Good cybersecurity is now considered an essential requirement of today’s businesses, but there are still challenges emerging as attacks continue to escalate and evolve. While attacks are becoming more sophisticated and complex, at the same time regulation, legislation and industry compliance regulations are also becoming more onerous.
“That’s why it is essential for businesses to understand where they’re at with their cybersecurity, how effective their systems and processes are and most importantly, where their vulnerabilities are and how they can prioritise their resources and future investments. What organisations need is a way to evaluate their internal security tools and processes, as well as behaviours, events and evolving threats.
“Cyber Security Maturity (CSM) benchmarking is emerging as a solution which can provide organisations with the intelligence to transform the quality and value of short, medium and long-term planning and decision making. telent offers a CSM benchmarking service to provide organisations with a clearly defined dashboard of metrics and an overall score. This information can be analysed to articulate cyber-risk, enabling businesses to make more informed decisions for cybersecurity investments.
“The potential damages of a cyberattack can no longer be ignored, but they can be mitigated. With the right solution in place, organisations can improve their business resilience, all while adapting to emerging business objectives and the changing technology and evolving threat landscape.”
Tim Orchard, Managing Director, F-Secure Countercept: “Perceptions of inadequate cybersecurity can have a huge impact on a company’s reputation, especially in the event of a data breach or other security incident.
“The TalkTalk data breach is one of the most high-profile examples. The company took an enormous amount of negative press as a result and its share price plummeted more than 20% in the following weeks. The breach cost the company more than £77 million in total, including a £400,000 fine from the Information Commissioner’s Office.
“TalkTalk has now largely recovered from the incident and former CEO, Dido Harding, has also been very open and constructive about discussing the breach, for example highlighting the issue of legacy technology in her keynote speech at Infosecurity Europe.
“Looking further back, there was a massive commercial impact for PA Consulting when an employee lost a USB stick containing the personal data of more than 84,000 UK prisoners. Within two weeks, the Home Office had announced the cancellation of PA Consulting’s multimillion-pound contract.
“The impact of a cyber incident on a company’s reputation can vary wildly depending on several factors. A business that is seen as having been negligent about basic security and failing its duty of care to customers will always suffer the heaviest hit to its reputation. In many cases, it is the perception of failure that will have the biggest impact, while the reality of the breach may actually be quite different.
“Similarly, incidents that involve the personal details of consumers will almost always receive more attention and a lot more negativity. Shipping giant, Maersk, suffered huge losses and disruption to the delivery of global food supplies after being struck with a major ransomware infection, but was treated much less harshly than incidents such as TalkTalk and BA that involved private data.
“An organisation’s immediate response in the hours and days after an incident is also extremely crucial. Companies that can demonstrate they are on top of the problem and are transparent about what has happened and how they are working to fix it can greatly reduce the reputational damage – Norsk Hydro is a good example of this. Conversely, companies attempting to cover up the incident are likely to be heavily punished.
“It’s also important to note that the idea of ‘weak’ security is often very subjective. What amounts to inadequate security for one business could be entirely appropriate for another. Factors such as the potential level of threat involved, the company’s size, industry and operational structure will greatly influence its risk profile and the security measures it should have in place, so companies should instead be thinking in terms of ‘right sizing’ their security.
“Security levels can also vary based on the company’s appetite for risk and what it considers acceptable. For example, the average business is highly unlikely to have to worry about being ‘patient zero’ in a sophisticated cyberattack orchestrated by state-sponsored threat actors, so it would be counterproductive and expensive to consider that type of threat.
“Following best practice on the basics such as the UK government’s Cyber Essentials scheme, is a good way for companies to ensure they have covered the fundamentals that will mitigate both the risk of a cyberattack and reduce the reputational damage when an incident does occur and then move onto tacking advanced threats and improving overall cybersecurity posture from there.”
Chris Hodson, EMEA CISO at Tanium: “An organisation’s reputation is increasingly contingent on maintaining a robust approach to cybersecurity and IT operations. This has been illustrated over the last few years by a number of high-profile breaches that have, in turn, led to ongoing reputational issues or loss in consumer trust for some organisations.
“Over the last 18 months, we’ve seen this amplified as we’ve entered a hyper-regulatory environment, illustrated by the likes of CCPA in the US and GDPR in Europe. Businesses are increasingly bound by stricter regulations to safeguard sensitive data and report breaches in a timely manner or risk facing sizeable fines.
“So why, when organisations are working hard to mitigate cyberthreats, do we still see so many succumbing to data breaches?
“The problem is that you can’t have a strong approach to cybersecurity and IT operations without understanding where your digital assets – such as staff laptops – are, what’s running on them and the vulnerabilities that exist across the environment. And while physical assets like laptops and servers are critically important, even more so is the data on them. Companies should not merely focus on physical assets alone. They need to understand the significance of data as an asset and ensure they are implementing the best possible safeguards to protect it. Without this basic IT hygiene, any ‘higher-level’ cybersecurity practices are the same as building a house on sand.
“Another challenge is keeping pace with the growing number of threats and attacks – in the 12 months prior to April 2018, more than 40% of all UK businesses suffered a breach or attack and this number has only been increasing according to gov.uk. Being fully prepared to face a cyberthreat requires an organisation to identify and protect all digital assets – like laptops and servers – across an organisation’s entire ecosystem.
Organisations must be able to keep track and maintain control of every IT endpoint across the enterprise environment. As firms grow, they are often faced with having to navigate around various scenarios including expanding their teams, merging with other businesses, upgrading technology and managing an ever-growing number of endpoints. This push and pull between business objectives and cybersecurity has its repercussions. Our latest study found that 95% of UK CIOs and CISOs have had to make compromises in how well they are able to protect their organisations from disruptions to technology, including cyberthreats and outages.
Organisations need to invest in an IT security and operations framework that addresses potential risks from the outset.