A corporate reputation damaged by a security breach can be harder to restore than lost data. So always be prepared.
Computer security professionals now enjoy a higher status within their organisation than ever before, with even some FTSE-250 companies granting them that long-coveted seat on the board. This puts the chief security officers (CSOs) in a stronger position when it comes to demanding resources, but it also puts their head above the parapet - making them a target if something goes awry.
Another consequence is that the CSO has to change the way he or she thinks about day-to-day business. The job is no longer confined to simply securing the network, it now has to take into account the wider implications of the smallest misjudgement. And once a security breach does occur, all thoughts need to turn to crisis management. What does this mean for the company? Could this affect the brand?
Nationwide is a case in point. The building society was fined £980,000 by the Financial Services Authority after a laptop containing details of nearly 11 million customers was stolen from an employee's home. The record fine was splashed all over the media, and the reputation damage to Nationwide has been described as incalculable. What's worse, the whole incident could have been very easily avoided with simple security measures.
We don't know whether Nationwide's CSO got a rap on the knuckles, but at least two other high-profile bank computer security professionals say they received a briefing from company bosses as a result of this breach - even though their bank was not involved.
So how important is security becoming to marketers? A survey conducted late last year by the Chief Marketing Officer (CMO) Council revealed that 80 per cent of marketers felt that security concerns among customers and their companies were on the rise. And they're not the only ones.
Research by Emory University in Atlanta has revealed that a simple security breach can cost a company up to two per cent of its stock value. That is a very costly mistake. Even in private companies with no stock, the effect on value is huge.The reason for this loss of value is manifold. In addition to the immediate impact of any negative media coverage, there is the ongoing risk of potential customers deciding against your company. Moreover, existing customers that have been affected by the security breach are likely to stop using your firm, which is the worst possible type of negative publicity.
In City terms, investors are already becoming aware of this. One banking professional says financial institutions can expect a hit of as much as five per cent on share value if the breach is big enough. Investors will not want to put money into a business that has lost the faith of its customers.
"Take a look at a company working with online sales," says Malcolm Marshall, national technology partner at KPMG. "As web-based sales and interaction increase, there is more information about customers stored. This means the importance of security is magnified. To maintain customer loyalty, you must maintain company security." To stress his point, he cites a variety of surveys indicating that online sales will make up 40 per cent of all consumer transactions by 2020.
The model works across all forms of organisations. "Interaction" is the big word in business at the moment, and this means security becomes a higher priority.
"A basic breach will hurt the brand more," says Marshall. "If you can't even reach the first base of security, then you are in some trouble. But it is the response that is important. Can you prove to customers that you did your best?"
To do that you need a good audit trail. And to protect your corporate brand, interaction with your marketing team on exactly what has gone wrong and what you did to try to prevent it is essential.
"When breaches occur the crisis management ability of an organisation is crucial in maintaining customer confidence," argues Neil Hare-Brown, managing director of information security and incident management firm QCC. "Build a dedicated function for managing events as they occur. In the context of maintaining customer confidence, it ensures companies are organised when dealing with security incidents and prepare and test appropriate response actions."
Complex it may sound, but the basic message is know what could go wrong and have processes in place to mitigate against that when they do.
Working hand-in-hand with a marketing team and talking about your security will result in one thing: marketing security. The Co-operative Bank's Smile operation banged a drum loudly at the turn of the millennium stating that it had achieved BS7799. More recently, AOL ran a series of adverts talking about its security features. "Banks will have 70 people working day and night to prevent security breaches," says Marshall. "Across the business world, the security baseline is going up. A certain minimum standard is expected."
A Datamonitor survey published in December 2005 shows that 86 per cent of US and EU consumers have generally become more distrustful of corporations in the past five years. The CMO Council survey quoted earlier says nearly 60 per cent of marketers think good security represents an opportunity to positively differentiate their brands.
So companies will want to publicise it if they have a decent security record, because there is a competitive reason to do so. A firm with the might of AOL does not spend millions on an advertising campaign without making sure that its subject is important to its customers.
But one marketing professional, who does not want to be named, says the tide could change again. "I doubt we will continue to see many high-profile campaigns making a lot of noise about computer security," he argues. "It is expected by consumers now. Companies have done a good job with regards to making them aware of many risks, although some are still oblivious, but security should be a silent partner."
This may grate with many CSOs who will want recognition for their work, but the best advice a computer security professional can give his marketing peers is not to shout too loudly. Nobody wants to be hit with a concerted phishing attack or a committed denial-of-service programme.
Besides, although you may be sure of your own company's security, you cannot always be sure of that of your partners. "Security teams from your firm need to go to your suppliers and make sure they have the same standards you do," advises Marshall. "If there is a breach in an affiliate company your brand could be dragged through the mud."
The larger and more multinational a company a CSO works for, the more difficult this becomes. So perhaps it is best to keep quiet about some things.
The competitive advantage
There is light at the end of the tunnel, however. Although the CMO Council report suggests that 30 per cent of customers would consider using an alternative company if they were on the end of a security breach, 47 per cent say they would wait to see how the company responds. This means two things. First, a company with a better security record than its competitors is more likely to keep hold of its customers. Second, if a security breach does occur, and this could happen in many ways, customers simply want to make sure the company has done its best to prevent it, and is doing its best to solve it.
When budget time comes around, it is worth reminding the chief financial officer of these two points. Better security equates to a better business. Put simply - security markets itself.
HOW A SECURITY CRISIS CAN AFFECT YOUR BUSINESS - Kevin Murray, chairman of Bell Pottinger.
"I have seen companies brought to the brink of bankruptcy because of mission-critical failures," Murray says. "It goes beyond reputation. If computer security fails, it can do far more than initial reputational damage."
Murray has worked with a number of clients over a career that also included stints as director of communications for British Airways and across the Bayer Group.
"The key is that disgruntled clients, whether they are consumers or businesses, will discuss the impact of poor security or poor experiences with their peers," he says.
However, he advises against the promotion of a company's successful computer security record. "If you do it, you are a hostage to fortune. It may be of use when making presentations to individual clients, but not as part of a major marketing campaign," he argues.
"Customers focus on their personal experience of a company rather than whether it is secure. If someone orders something online they want it on time. Security is expected. You would not hear an airline talking about its safety record - it should not be made an issue."
Murray also advises more CSOs to get involved with business continuity plans on the brand side. Although computer security professionals will, as a general rule of good practice, have examined what to do if their own security measures fail, many neglect looking at the impact on the brand.
"Increasingly we are developing crisis and issues management packages with companies that come to us to ask what would happen to their reputation if something went wrong," he reveals. "CSOs need to make sure their PR teams know what could go wrong, and how."
WHAT TO DO IF A SECURITY BREACH HAS OCCURRED - Tim Luckett, issues and crisis managing director, Hill & Knowlton UK.
"As stories about identity theft become commonplace, customer expectations on how organisations handle these issues will rise. The current situation can only get worse as society becomes more dependent on technology and the media are far more clued into the story. Both customer and journalist will be united in expecting organisations to have learned from the Nationwide experience.
"The key to any such issues is to react quickly and reassure customers that the brand is doing everything possible on their behalf. Clients will be more forgiving if you tell them straight away, apologise and suggest some precautionary steps rather than leave them to find out via the media.
"Brand-conscious consumers expect far more today and will want to know that their bank has the relevant pre-emptive provisions in place to guarantee as much personal protection and security as is possible. Another watchword is acting responsibly. While actively PR-ing one's security may not be the way forward, preparation for potential security breaches needs to be a main part of an organisation's incident and emergency planning. This should always be properly communicated to one's customer base.
"Naturally, while no amount of planning can ever prevent hard crime (such as thefts of sensitive information stored on a computer as in the Nationwide case), a brand's reputation can remain intact if it can illustrate and prove that it did everything possible to prepare for and be able to mitigate any potential security breach."
CASE STUDY - EXPRESS HR
If Barclays Bank or Goldman Sachs started crowing overtly about their computer or network safety record, the likelihood is that determined cyber criminals would make it their mission to change that record. Nevertheless, some vendors argue that for a smaller business, or one perhaps a little more out of the public glare, it may be a good thing to openly talk about the safety of your systems.
Paul Raine, operations director of human resources software vendor Express HR, argues that there is a distinct competitive advantage to having secure systems. "Fundamentally our customers want functionality and a good price," he says. "But we process £300 million of client spend a year and having secure systems can tip the balance when trying to win lucrative contracts."
Raine says there has been a change in the expectations of clients requiring Express HR business. "Late last year, some companies started asking us for an independent security audit," he reveals. "This got us thinking about making security part of the marketing push."
Express HR is deploying two computer security firms' offerings - one to defend the perimeter and another to check against insider threats. Raine says this level of security demonstrates to the customer that their systems are secure.
"We never used to talk about security, but now sales staff are given full details because they get asked about it, and we tell them to talk about it," says Raine. "If, as a company, you deliberately go beyond regulatory security requirements, or beyond BS7799, you have a very good case to start talking openly about what you've achieved."
Of course, the other advantage of this is that increased sales provided by the work of the company computer security professional should result in increased budget in the long term - meaning it will be easier to stay at the technological cutting edge.
But once you start being open about security you have to be committed. "We make sure all our passwords are changed every 30 days and each password is alphanumeric with eight digits," says Raine. "Also, it's important to remember that the human link is still the weakest in the chain, so staying on top of that element is important - be aware of the actions of disgruntled employees."
And if you get it right, the reward is not simply another string to your salespersons bow.
"It's not just about what customers want," says Raine. "If you can go to the board and say your security is good enough, then you are keeping them happy. And there's a corporate and social responsibility element too. Customers want to know if you're being a responsible company - that's not about branding."