"It takes 20 years to build a reputation and five minutes to lose it," said Warren Buffett in 1930.The good reputation of a company or a brand is now seen as an essential element on the corporate balance sheet. It is a fragile asset that can be lost forever, unless all levels of the business safeguard it.
Companies will do everything within their power to protect their corporate reputation – for instance employing public relations consultants to manage it. There is, however, an ever-increasing threat to corporate reputation in the form of security risks. The affect a security breach can have on brand reputation is becoming more severe as media interest in breaches grows and indeed the shear number of violations continues to increase. This article will examine the fragility of a company's reputation in the light of corporate legislation and consumer/investor opinion. It will also look at whether this fear has reached its rightful place on the boardroom agenda or if CEOs are gambling their hard-earned company kudos by misunderstanding its significance.
The business environment is constantly evolving. Roughly nine tenths of UK businesses now send email across the Internet, browse the web and have a website (DTI InfoSec survey, March 2004 – page 4). Dependence on electronic information and the systems that process it has risen from 76 per cent two years ago to 87 per cent. However, greater connectivity has simply increased the exposure of businesses to security threats that continue to evolve faster than preventions can be found. As many as two thirds of UK businesses have suffered a pre-meditated or malicious security attack this year compared to just under a half two years ago (DTI InfoSec survey, March 2004 – page 5). The number of security attacks continues to grow and there seems little chance of this growth subsiding, despite recent legislation designed to ensure all companies in the UK deploy appropriate security measures.
"Appropriate security measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data". (Data Protection Act, Seventh Article)
These are words that should strike fear into the heart of a company's board – the legislation refers to both technical measures, such as data encryption, as well as organisational measures – staff data protection training. Research carried out by LogicaCMG found that technical measures were generally being deployed, but there is confusion as to who takes organisational responsibility for security policies. The Data Protection Act (DPA) goes on to stipulate that security measures must ensure a level of security appropriate to the harm that might result from a breach of security and to the nature of the data to be protected. In other words, companies have to employ a risk analysis approach when implementing their security technology and policies. Although the DPA, along with other legislation such as the Computer Misuse Act, has undoubtedly increased investment in security technology amongst UK firms, there are a significant number of businesses, which do not take this necessary risk analysis approach. It is essentially a rigorous process, which forces a company to quantify what they are protecting and the business impact of a breach – a hard task when security is not high on the boardroom agenda. One key area relating to security where it is easy for businesses to contravene the DPA and thus play Russian roulette with their reputations is when dealing with outsourcers.
Outsourcing IT functions in order to concentrate on core business processes is on the rise – Gartner predicted that overall global spending on IT outsourcing will rise from $180.5 billion in 2003 to $253.1 billion in 2008. This has vast implications for security managers trying to stay in line with legislation. According to the DPA, subcontractors who handle personal data in any way must have the same security measures in place as the primary company and a contract should be in place to this effect (ISO/IEC 17799:2000). Companies need to be proactive in ensuring this is the case. If security is breached and personal data is compromised both parties can be held accountable by the information commissioner, meaning that UK businesses cannot afford to cut corners with security and it is an issue that needs to be reviewed and managed at board level.
How far can companies protect their reputation by not admitting to security violations and when should a company report security breaches to customers, business partners and even the police? This is a difficult dilemma that businesses are facing today. In cases where personal data such as credit card information has been illegally accessed either internally or otherwise, the case for notifying those affected is of course strong. However there is an argument that this approach is simply unworkable – where larger numbers of customers are involved, the task of tracking them all down takes time and money. Advocates of this view argue that each situation needs to be assessed in light of its particular circumstances and in certain cases the best approach may be to keep quiet and invest the energy in solving the problem as quickly as possible. CEOs are feeling the extra pressure caused by this reporting dilemma – they are caught in a catch 22 situation. Should the risk of damaging a reputation outweigh the risk of legal claims by aggrieved customers who were not notified? Also, if the organisation doesn't go public, then customers may contact the media directly themselves and, at that stage, the organisation has lost control of the situation.
One of the greatest fears for UK businesses is the effect that a security breach can have on its reputation. Recent research, carried out across the top FTSE 350 companies, showed that the image of the company being tarnished was rated as the biggest fear associated with information security violations. Research, carried out by LogicaCMG, showed that a quarter of consumers would never buy from a company again following a breach of their personal information providing a strong argument for keeping breaches quiet.
There can be no arguing that it is getting harder and harder for the board to ignore the issue of security – breaches don't just cost a company in terms of downtime and technology updates, they can leave a company in violation of the law and with its reputation in tatters. So why is the board not more involved in the act of securing their business? Alarmingly, 73 per cent put the onus on the IT department highlighting a disturbing trend that CEOs do not fully understand the holistic approach that is needed when developing a security policy and assume that technology is the silver bullet. Security breaches have an impact on every aspect of every business function so a coherent, integrated and comprehensive set of technical, physical, personnel and procedural measures is needed.
If company board members do not wake up to the reality of the situation, they must be prepared to not only suffer the loss of its good reputation with its customers but also the investor community. 83 per cent of investors feel that a security breach would have some sort of impact on the company's share price and 68 per cent of investors cite information security governance as a significant criterion when evaluating whether to buy or sell company stock.
No company will ever be 100 per cent safe from all security threats. Legislation such as the DPA, the increasing savviness of the media and consumers to the presence of security breaches and the increasing use of IT in all aspects of today's society have only served to pressurise companies into managing their security effectively. Companies cannot afford to cut corners and CEOs can no longer view security as an IT issue. A holistic approach is required from both the board and the IT department and security measures have to be implemented that meet legislative needs and are adequate for the information they hold. In this way businesses may just stand a chance of winning the reputation gamble.
Dave Martin is a security consultant with LogicaCMG
