Public relations and advertising specialists for many years have clung to the myth that there is no such thing as bad publicity. Reality has busted that myth several times in the recent past, no more so than in the world of cybersecurity. Fees, fines, and compensation paid by companies as diverse as Target and Home Depot following thefts of personal data from their network servers have revealed the real cost of a PR nightmare. Yahoo saw its value drop by $350 million in its pending sale to Verizon following disclosure of two massive data breaches in its networks. In addition to the cancellation of any plans for an IPO, the relationship website, Ashley Madison, was hit with a $17.5 million fine that it was unable to pay.
These discrete events show that bad cybersecurity PR can have very real and adverse consequences on the fortunes of the affected companies. Conversely, organizations that promote robust cybersecurity practices can see the benefits of those practices with greater customer loyalty and positive brand recognition in the marketplace for their goods or services.
A study published in the Deloitte University Press, for example, shows that 80 percent of consumers are more likely to purchase goods or services from a company that had a reputation for protecting their personal data, and 70 percent were more likely to purchase from a company that had third-party verification of its data security practices.
An organization can convey a reputation for good cybersecurity with a few simple practices. Communication is an essential element of this effort. A company that regularly updates its security systems and procedures should publish information about its actions in emails and other outreach efforts to its clients and customers.
Financial institutions and other entities with websites that manage money transfers and payments have adopted dual sign-in screens with unique images for each account. Including these unique identifiers and additional steps gives customers additional assurances that their transactions are processing over secure networks. Partnering with third-party security services provides similar assurances.
Good PR does not end with the establishment of robust cybersecurity practices. Even the strongest cybersecurity defenses can be breached, and PR can play a critical role in a company’s public response to a data breach. In the event of a suspected hacking attack, every company should establish a cybersecurity response protocol that allows it to quickly identify and assess the severity of a data breach with managers that have been pre-selected and with roles that are pre-assigned to manage the response. At least one manager should monitor media reports of the breach and the entire team should stay ahead of the story and public discussions of it. This can include issuing press releases and contacting key customers to assure them that the company is taking appropriate action to respond to the threat. All employees should be updated regularly as well as a means of confirming that a consistent message is broadcast to all concerned parties.
In the end, the most critical PR coup will be a rapid demonstration of a company’s ability to recover its operations and to compensate any customers whose data might have been compromised by a cybersecurity breach. Data breach insurance, from a reputable provider like CyberPolicy, will make this feasible. Procuring cybersecurity insurance, in and of itself, will go a long way toward establishing good PR. As at least one study has suggested, companies that maintain insurance to recover their own operations and to protect their customers’ data will be viewed more favorably and will maintain an advantage over their competitors.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.