How Companies Can Rebuild Trust After A Security Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.forbes.com/sites/katevinton/2014/07/01/how-companies-can-rebuild-trust-after-a-security-breach/

“It’s not a question of if you will be hacked, but when,” says
cybersecurity expert Joe Adams. This is bad news for companies, not only
because of security risks, but also because data breaches have a
significant and measurable impact on customers’ trust and spending habits,
according to a study released Monday. The good news? Customers, who are
generally not concerned about security until a breach happens, are looking
for transparency and timely responses to breaches, something companies can
provide with enough preparation and foresight.

Interactions, a customer experience marketing group, released a study
Monday called “Retail’s Reality: Shopping Behavior After Security
Breaches.” Using the same sampling as the 2010 U.S. Census, the study looks
at how security breaches impact customers’ shopping habits. Forty-four
percent of survey respondents had been the victim of a data breach. A
higher 60% of Millennials had had their data stolen, likely because these
18 to 24-year-olds are much more likely to share their information online
and sign up for retail credit cards, according to DeMeo, Vice President of
Global Marketing and Analytics at Interactions. Trust for retail is low,
with 45% of shoppers saying they don’t trust retailers to keep their
information safe. After a security breach, 12% of loyal shoppers stop
shopping at that retailer, and 36% shop at the retailer less frequently.
For those who continue to shop, 79% are more likely to use cash instead of
credit cards. According to DeMeo, shoppers who use cash statistically spend
less money, hurting the company.  Indeed, 26% say they will knowingly spend
less than before.

All this paints a concerning picture for retailers looking to both keep
their company secure and minimize the negative impact of a security breach
if—or when—it occurs. DeMeo says his company does not study the financial
impact of customer reactions to data breaches, but it doesn’t bode well for
a company if consumers are spending and trusting less. Companies need to
either find a foolproof way to prevent security breaches entirely (an
unfortunately idealistic goal), or work to minimize the negative effect of
data breaches on their relationship with customers.

Minimizing the Impact

In speaking to several cybersecurity experts, a few key points emerged
about how companies can minimize the negative effects of a security breach
on customer relations. Across the board, experts stressed that transparency
and communication is key, as clients are often more concerned with how an
organization responds to a breach than the fact that it occurred.

Customers want to able to trust that a company can take care of—not just
prevent—a data breach, says J.J. Thompson, CEO at Rook Security. He shares
an anecdote about over-hearing farmers at a Midwest diner discussing the
now-infamous Target TGT +0.72% breach soon after it occurred. “It’s pretty
interesting, but the reason for the mistrust wasn’t because they got
hacked,” Thompson explains. Instead the farmers were upset that Target
didn’t seem sure about the details of the breach.  “It’s about trust.
People know that people get hacked. Everyone has been part of a hacking
incident.”

On the business-to-business level, Thompson says companies have a “magic
seven-day window” to come to the table with answers. The same principle
applies when it comes to business-to-customer. “Think about people as
people,” Thompson says. People want answers and want to know that their
company is “being forthright and careful about information.”

In order to be communicative after a breach, companies need to plan ahead.
“One of the challenges that companies are rapidly discovering is that being
prepared post-breach is being prepared pre-breach,” explains Kevin Epstein,
VP of Advanced Security and Governance at Proofpoint PFPT +3.2%.  It’s the
same concept as when it comes to house robberies, he says. You need to know
what is stolen before it is stolen. To do this, Epstein says that it is
important to have both threat response systems (knowing the details of how
the breach occurred) and content control (knowing what information was
vulnerable).

Having that knowledge will allow a company to make an accurate disclosure.
“I honestly believe the more you know about yourself, and the more you’re
willing to say, makes you more credible,” says Barry Shteiman, Director of
Security Strategy at Imperva.  “I would feel more confident buying from a
company that knows when a data breach takes place.”

Communication between departments is also important to ensure that a breach
is reported properly. Shteiman believes that internal communications
between the CEO and CMO are essential to make sure things are said “in the
right way with the right tone.” Thompson adds that IT is often placed in a
spotlight when a breach occurs, which is unfortunate as communications and
human relations are not IT’s specialty. Instead, marketing needs to be part
of the security conversation earlier on.

While security breaches damage customers’ trust in retailers, customers
unsurprisingly tend to be unconcerned about security before a breach
happens. DeMeo says that most people don’t understand—or care enough to
learn about—security until they are personally impacted. Epstein says
consumers don’t need to know the technical details of their companies’
security systems—much like the average person doesn’t understand the
technical details of their bank’s vault—they just need to know that a
company is using the best security in the industry.

“People are very reactive, and that’s how it’s always been,” Thompson says.

Cybersecurity has an added challenge. Cyber crimes are so intrusive because
people don’t have a visceral reaction to cyber danger, explains Raj Samani
at McAfee. “It’s so easy to click. It’s not like the physical world…where
your sense of fear gets heightened,” he says. “In the cyber world, you
can’t rely on your five senses…you could be in an unsafe world, you could
be communicating with someone who is a criminal but your senses don’t get
heightened.”

William Pelgren CEO of the Center for Internet Security echoes this. “We
learn from a tactile approach,” he says. “When you click on a link and
nothing apparently happens other than your machine may be absolutely
compromised. We have to build that visualization of the consequences for
people to understand it.”

Because cyber danger is difficult for people to visualize and customers are
already not attuned to security until a moment of crisis, companies need to
plan ahead long before their customers start thinking about cybersecurity.
That way, if and when a breach does occur, the company can disseminate
accurate and timely information to minimize the negative effect that
security breaches have been shown to have on customer trust.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!