Monthly Archives: November 2017

How data breaches affect reputation and share value

Larry Ponemon

How Data Breaches Affect Reputation & Share Value: A Study of U.S. Marketers, IT Practitioners and Consumers, conducted by Ponemon Institute and sponsored by Centrify, examines from the perspective of IT practitioners and marketers how a company’s reputation and share value can be affected by a data breach.  As part of this research, we surveyed consumers to learn their expectations about steps companies should take to safeguard their personal information and prevent data loss.

This study is unique because it presents the views of three diverse groups who have in common the ability to influence share value and reputation. Ponemon Institute surveyed 448 individuals in IT operations and information security (hereafter referred to as IT practitioners) and 334 senior level marketers and corporate communication professionals (hereafter referred to as CMOs).

Forty-three percent of IT practitioner respondents and 31 percent of CMOs in this study say their organization had a data breach involving the loss or theft of more than 1,000 records containing sensitive or confidential customer or business information in the past two years.  We also surveyed 549 consumers. Sixty-two percent of these respondents say in the past two years they have been notified by a company or government agency that their personal information was lost or stolen as a result of one or more data breaches.

The results of this study show how data loss affects shareholder value and customer loyalty.  To protect brand and reputation, it is critical the C-suite and boards of directors address consumers’ expectations about how their personal information is used and secured.  On a positive note, the study reveals the majority of both IT practitioners and CMOs believe their companies’ senior management understands the importance of brand management.

The affect of data breaches on stock price and customer losses

For the economic analysis of the stock price, we selected 113 publicly traded benchmarked companies that experienced a data breach involving the loss of customer or consumer data. We created a portfolio composed of the stock prices of these companies. We tracked the index value for 30 days prior to the announcement of the data breach and 90 days following the data breach.

The key takeaway from the analysis is that companies that achieve a strong security posture through investments in people, process and technologies are less likely to see a decline in their stock prices, especially over the long term. Because of their strong security posture, these companies are better able to quickly respond to the data breach. Following are conclusions from this analysis.

  • Following the data breach, companies’ share price declined soon after the incident was disclosed.
  • Companies that self-reported their security posture as superior and quickly responded to the breach event recovered their stock value after an average of 7 days.
  • In contrast, companies that had a poor security posture at the time of the data breach and did not respond quickly to the incident experienced a stock price decline that on average lasted more than 90 days.
  • The difference in the loss of share price between companies with a low security posture and a high security posture averaged 4 percent.
  • Organizations with a poor security posture were more likely to lose customers. In contrast, a strong security posture supports customer loyalty and trust.
  • The 113 companies in our sample that experienced a low customer loss rate (less than 2 percent) had an average revenue loss of $2.67 million. Organizations that lost more than 5 percent of their customers experienced an average revenue loss of $3.94 million.

 Other key takeaways

The loss of stock price is not the top concern of CMOs and IT practitioners. Reputation loss due to a data breach is the biggest concern to both IT practitioners and CMOs. Only 20 percent of CMOs and 5 percent of IT practitioners say they would be concerned about a decline in their companies’ stock price. In fact, in organizations that had a data breach, only 5 percent of CMOs and 6 percent of IT professionals say a negative consequence of the breach was a decline in their companies’ stock price.

Thirty-one percent of consumers surveyed say they discontinued their relationship with the company that had a data breach. Of those consumers affected by one or more breaches, 65 percent say they lost trust in the breached organization and more than 31 percent say they discontinued their relationship

IT practitioners and CMOs both believe a data breach is a top threat to their companies’ reputation and brand value. A data breach is considered by participants in this research to be a top threat to their companies’ reputation and brand value. On a positive note, the majority of IT practitioners (55 percent) and 58 percent of CMOs do believe their companies’ senior-level executives take brand protection seriously.

More CMOs have confidence than IT practitioners in the resilience of their organizations to recover from a data breach involving high value assets. Only 44 percent of IT practitioners believe their organizations are highly resilient to the consequences of a data breach involving high value assets. However, 63 percent of CMOs are confident their company would be resilient to a data breach that results in the loss or theft of high value assets.

More CMOs believe the biggest cost of a security incident is the loss of brand value. Seventy-one percent of CMOs in this study believe the biggest cost of a security incident is the loss of reputation and brand value. In contrast, less than half of IT practitioners (49 percent) see brand diminishment as the biggest cost of a security incident.  

Following a data breach, the IT function comes under greater scrutiny. IT practitioners in organizations that had a data breach (43 percent) consider the following the most negative consequences of a breach: greater scrutiny of the capabilities of the IT function, significant financial harm and a loss of productivity (56 percent, 44 percent and 40 percent, respectively).

IT practitioners do not believe that brand protection is their responsibility. Sixty-six percent of IT respondents do not believe protecting their company’s brand is their responsibility. However, 50 percent of these respondents do believe a material cybersecurity incident or data breach would diminish the brand value of their company.

CMOs allocate more money in their budgets to brand protection than IT does. Thirty-seven percent of CMOs surveyed say a portion of their marketing and communications budget is allocated to brand preservation and 65 percent of these respondents say their department collaborates with other functions in maintaining its brand. Whereas, only 21 percent of IT practitioners say they allocate a portion of the IT security budget to brand preservation and only19 percent collaborate with other functions on brand protection. This response is understandable because so many IT practitioners do not believe brand protection is the IT function’s responsibility.

Consumers’ expectation for the security of personal information they share with companies is much higher than CMOs and IT practitioners’ expectations. Eighty percent of consumers believe organizations have an obligation to take reasonable steps to secure their personal information. However, only 49 percent of CMOs and 48 percent IT practitioners agree. The research reveals differences in perceptions between IT practitioners and CMOs on issues regarding reputation and brand management practices. However, more serious differences are the gaps between consumers’ expectations and the perceptions of IT practitioners and CMOs about how their personal information should be safeguarded

CMOs and IT practitioners are less likely to believe their organizations have a responsibility to control access to consumers’ information. While 71 percent of consumers surveyed believe organizations have an obligation to control access to their information, 47 percent of CMOs and 46 percent of IT security practitioners believe this is an obligation.

Consumer trust in certain industries may be misplaced. Eighty percent of consumers say they trust healthcare providers to preserve their privacy and to protect personal information. In contrast, only 26 percent of consumers trust credit card companies. Yet, healthcare organizations account for 34 percent of all data breaches while banking, credit and financial organizations account for only 4.8 percent. Banking, credit and financial industries also spend two-to-three times more on cybersecurity than healthcare organizations.

IT practitioners and CMOs share the same concern about the loss of reputation as the biggest impact after a breach, but after that, the concerns are specific to their function. For CMOs, the impact to reputation is followed by a concern over loss of customers and decline in revenue (76 percent, 55 percent and 46 percent of respondents, respectively). For IT, the two biggest concerns are the loss of their jobs (56 percent of IT respondents and time to recover decreases productivity (45 percent).

In Congress, Facebook, Twitter take more blame for Russian election meddling, but there’s more coming

Bob Sullivan

We’ve come a long way since Mark Zuckerberg famously said that it was “crazy” to think fake news on Facebook influenced the 2016 election.  How far? Not long ago, Facebook said it had identified only a few thousands suspicious accounts on its service that might have been linked to Russia.  Today, during Congressional testimony, the firm said 126 million people may have seen Russian propaganda on the service.

During a mostly civil hearing before a Senate intelligence committee hearing on Tuesday, Facebook, Twitter and Google used the strongest language yet admitting their services were abused during the election, and vowed to work against further attacks by foreign governments.  The obstacles they face are enormous however, ranging from the ease of obscuring the origins of such attacks to the problem of “false positives” — tighter controls on content will inevitably infringe on free speech.

Not long ago, Internet firms were content to hide behind their legal designations as agnostic platforms, as opposed to publishers that could be held responsible for content they spread.  The time for that has passed.

“All three companies here…no longer think whatever goes across your platform is not your concern, right?” said Sen Sheldon Whitehouse (D-R.I.).

Facebook’s general counsel Colin Stretch called the Russian disinformation campaign “reprehensible.” Twitter acting general counsel Sean Edgett said the firm was acting “to ensure that experience of 2016 never happens again.”

Sen. Sen Chris Coons (D-Del,) was unimpressed by the firms’ efforts so far, however.

“Why has it taken Facebook 11 months (to offer this information) when former President Obama cautioned your CEO 9 days after the election?” he asked.

During the hearing, Stretch explained how Russian paid ads were used to attract drive users towards Facebook pages, which were then used to spread propaganda through the service’s traditional network effects — they were shared and re-shared by users. That’s how a few thousands paid ads could ultimately reach potentially millions of users.

At one point, Coons held up one example — a Facebook page called Heart of Texas that ultimately collected about 225,000 followers.  Ads for the page were purchased in rubles. One Heart of Texas ad said Hillary Clinton was despised by an overwhelming number of veterans, and urged secession if she won the election.

“That ad has no place on Facebook. It makes me angry. It makes everyone on Facebook angry,” Stretch said.

But Sen. Al Franken (D-Minn.) challenged Stretch about why the firm didn’t spot the Russian influence problem sooner.

“These are American political ads (purchased) with Russian money…how could you not connect the dots?” he said. “People are buying ads on your platform with Rubles. You put billions of data points together all the time….You can’t put together rubles with political ads and go, ‘Hmmm. Those two data points spell out something bad.’ ”

“Senator, that’s a signal we should have been alert to and in hindsight, it’s one we missed,” Stretch said.

Twitter was targeted for similar criticism by Sen. Richard Blumenthal (D-Conn.). He held up an ad saying citizens could vote from home,allegedly shown to likely Hillary Clinton voters.  Twitter said the ads were ultimately removed as illegal voter suppression.

“But they kept reappearing,” Blumenthal complained.

Most of the fake Russian ads and posts– something Facebook calls “coordinated inauthentic activity” — were issue-based, the firms said. They didn’t necessarily support a candidate, but instead sought to cause fights among users.  In Internet lingo, it was a sophisticated troll campaign

“Russia does not have loyalty to a political party. Their goal is to divide us,” Sen. Chuck Grassley (R-Iowa) said.

Much of the hearing focused on the potential for abuse that comes with social media targeting technology,which allows advertisers to be very selective in who sees ads that are purchased.  The tools are tailor-made for micro-targeting propaganda. Blumenthal questioned whether a Russian group could have made micro-targeting decisions without help from political consultants in the U.S., hinting the Russians had help from U.S. agents.

The most chilling part of the hearing occurred after Facebook, Google, and Twitter left, however. Clint Watts, an analyst with the Foreign Policy Research Institute, explained that no single firm could “fully comprehend” the influence that Russians had in 2016 — because Russian propagandists used a holistic plan of attack. A single post on the 4Chan message board would be discussed on Russian-backed Twitter accounts, then spread far and wide on Facebook, then land in news stories on Google, and so on. He called Russia’s 2016 disinformation campaign “the most successful in history,” and said it would certainly be copied.

“The Kremlin playbook will be adopted by others,” he said. Other foreign governments, dark political candidates, and .even corporations would copy Russian techniques unless Congress managed to get control of the issue now, he warned.