Save the day with cyber security
Editorial

Save the day with cyber security

Data breaches have the potential to break a business, but appropriate input form the marketing can stop a total collapse – or even prevent the hack in the first place.

Today, we face a major change in how we operate as individuals and as a society thanks to the sudden and continual advance of the digital world. Before long, we’ll each be carrying a dozen or more devices that rely on the internet and wireless connectivity. They’ll tell us more about ourselves than we care to know, they’ll talk to each other and to far-flung servers, and they’ll make our lives simultaneously simpler and riskier. Your body itself will become an extension of the digital world.

The risks associated with this, however, will prove a challenge for even well-established companies – especially if they’re breached by hackers.

There’s been much discussion of TalkTalk’s recent data breachwhich shouldn’t really be a surprise: it’s estimated that it will cost the company £35 million in one-off costs and TalkTalk’s share price has tumbled 20% to its lowest value since 2013. Adding insult to injury, the hack was perpetrated by a bunch of teenagers.

And it’s not just the big companies that get hit – everyone is potentially a Target because the attackers don’t care who they go after, just that they get to the data. 

Worse still, small companies often cannot survive the fallout of a data breach: PwC reports in its Information Security Breaches Survey 2015 that the average cost of a data breach for a small business is between £75k and £311k. When the EU’s General Data Protection Regulation comes into force in a couple of years, the damages will be even worse – under the regulation, companies can be fined up to €100 million or 5% of annual turnover.

With the stakes so high, it’s important that you are ready to deal with the fallout from a breach, in case one does occur.

Owning the narrative in the press is always going to be a major part of that. Unfortunately, when the attackers turn out to be a group of children without any particularly advanced technology, this is a difficult sell. In addition to the usual PR and marketing devices to reduce the short- and long-term damage, then, it’s important that the company is seen to be making amends to its customers.

For companies that have been breached, this means clearly demonstrating that you are making reparations to customers – offering appropriate compensation and identity protection services to the people whose data has been lost or stolen, for instance – as well as showing that the company has learned from its errors. For this, the organisation needs to demonstrate that it is willing to implement technologies, processes and training to minimise the risk of it happening again, while limiting the damage that can be caused should it actually recur.

So far, so technical. From a marketer’s perspective, the importance is in making sure that the world is aware of the steps that the company is taking. The first move is to identify who it is that needs to know. For your average B2C company, the public is clearly the primary market for this information, but, in many cases – and especially for B2B businesses – corporate clients, business partners and even suppliers will want to see clear evidence that the company is taking its newly discovered duties seriously.

Each market has different needs in terms of assurance. An ordinary consumer doesn’t know or care about the difference between ISO 27001 and Cyber Essentials – they just want a clear and uncomplicated promise that their information is safe in future. 

Selling the impact of your organisation’s new security measures to the public at large is by far the easier route. For B2B marketers, however, these assurances of the impact are hollow: partners, clients and suppliers want to know what it is you are actually doing.

Your business needs to understand that these third parties may want verified assurance of your security measures. If you have simply applied a few sticking plasters to the problem, there is no proof of security. They will want real evidence, which may mean that these third parties need to conduct their own audits of your security programme.

However, this is expensive and takes an inordinate amount of time. Nobody really wants either to conduct it or submit to it. Better, then, to ensure that your board and senior managers understand both the practical benefits and market value of recognised programmes like ISO 27001. Being able to point to recognised schemes and certification programmes that the company has signed up to is critical.

But why wait to be attacked? As a marketer, you should have input on the company’s decisions regarding cyber security – after all, when a breach happens it is the company’s reputation that suffers, and you will be the one that has to deal with the fallout. Bringing the customer’s perspective on insecurity to the board is your responsibility.

The C-suite may be a tough crowd, but it is a lot easier to sell them on the benefits of instituting proper security measures before a breach happens than it will be to win around the public and your business partners after a really damaging hack. 

The good news for marketers is that a sensible investment in cyber security – such as gaining ISO 27001 certification – doesn’t just minimise the risks to reputation, brand image and value. It also opens up opportunities when you publicise your credentials to stakeholders and consumers in advance.

A startling 74% of board members say that their customers prefer to deal with suppliers that have proven IT security credentials. Why not prevent that hack happening in the first place, and gain new business into the bargain, by being proactive about your protection?

Steve Woolley Head of External Affairs CIM
Back to all