Study Finds Data Breaches Can Raise A Company’s Reputation
As the digital role in the overall economy increases — to $53.3 trillion by 2023, estimates the International Data Corporation — so does the cybersecurity risk. But new research indicates that despite the negative consequences, data breaches can actually lead to an increase in many companies’ brand power.
That was a finding of a study reported in the Sept. 1 edition of the Journal of Cybersecurity. It used data on 45 companies from Tenet Partners, a market research company that has been measuring brands across firms for more than a decade through its CoreBrand Index. The study found that the effect of data breaches on a company’s reputation depends on the size and significance of the breach. While the largest and most significant data breaches lead to a 5–9 percent decline in a company’s brand power, the average-sized data breach results in a 26-29 percent increase.
Full disclosure: The reporter authored the study.
The study found that if a data breach is particularly large or occurs in a climate less sympathetic to such safeguard failures, the extensive coverage might scare investors, management and customers. This inevitably leads to a downward spiral in the company’s reputation. This was the case for Yahoo after a 2014 data breach that was publicly revealed in 2016, resulting in heavy criticism and numerous lawsuits.
However, if a data breach is relatively minor and only receives limited negative media attention, it might end up having a positive effect as more people learn about the company and its products and dismiss the breach as inevitable. Honda partnered with an email marketing firm that experienced a breach in 2010, but according to the study, the automaker’s reputation grew as it received media attention.
The Journal of Cybersecurity report goes on to help explain why that attention might lead boards of directors for publicly traded companies to frequently give lip service to cybersecurity. Now, it tends to take a crisis to lead to change within an organization — and, even then, sometimes it might not be lasting.
“Multifaceted cyber risks, powered by dynamic technological and geopolitical forces are continually reshaping the threat landscape that firms are facing,” said Scott Shackelford, the Cybersecurity Program chair and professor of business law and ethics at Indiana University.
The increase in what have been billed as ransomware attacks, such as one in May that led Colonial Pipeline to temporarily shut down its pipeline connecting Texas to New Jersey, to finance rogue regimes and illicit activities has alarmed security experts.
“We’ve seen a huge uptick in ransomware attacks since the start of the pandemic as the success of attacks and high payouts in the hundreds-of-thousands or even millions-of-dollars ranges have attracted new entrants into the ransomware market,” said Caitlin Doherty, head of Global Communications at Rapid7, a Boston-based cybersecurity firm. “Criminal actors in this market face little in the way of risk or barriers to entry as they rarely face prosecution due to safe-haven nations, can purchase technical tools and capabilities to mount attacks, and the burgeoning attack surface and complexity of technical environments means opportunities for them abound.”
This has led to an increasing recognition that private sector entities will need to “strengthen their security posture,” according to a report by the Cyberspace Solarium Commission in 2020.
The lack of digital and cybersecurity literacy among executives and consumers is one reason that even basic cybersecurity practices are not adhered to, the report says, suggesting more emphasis on K-12 cyber education, so children are exposed to it early.
“We all know and accept that math, science and English are key components to a successful K–12 education, but what about technology? Most children have had their hands on a keyboard or mobile device by the age of 3, yet our educational system does little to teach them how to use these devices or, more importantly, how to use them safely,” said Matt Dunlop, the chief information security officer at Under Armour and former director of applied research and development for the U.S. Cyber Command.
Around 90 percent of breaches originate due to manipulation of individual employees, such as phishing, according to cybersecurity firm Kaspersky. Dunlop says “improving society’s awareness of the threat would not only make for a better-informed consumer but also reduce the risk by making employees more security conscious.
Edited by Richard Pretorius and Kristen Butler