A large cost of data breaches lies in brand damage.
I doubt whether there’s any commercial or government executive that isn’t concerned about data security. Cyber-attacks and data breaches are considered the number one risk currently faced by organisations globally, and they will still be their number one concern in 2024. US Federal Reserve Chairman Jerome Powell regards cyber-attacks as a greater threat than the lending and liquidity risks that led to the 2008 financial crisis. In Australia, the federal government has expanded the Security of Critical Infrastructure Act 2018 coverage from 4 sectors to 11 sectors and 22 asset classes , with data breaches announced only in December 2021 featuring gaming company Ubisoft, communications giant Huawei, and recruitment company Finite Recruitment (impacting Coles, Westpac, AMP and some government departments).
Overall, the average cost of a security breach in Australia in 2021 was US$2.82 million. Not only is this a huge amount, but it’s a massive increase of 31% over the previous year’s figure, easily outstripping the average global increase of 10%, itself the largest increase for seven years.
Significantly, lost business accounts for 38% of global security breach costs – the highest-rating category according to IBM. “Lost business costs include: business disruption and revenue losses from system downtime, cost of lost customers and acquiring new customers, reputation losses and diminished goodwill.” Leaving aside the business and systems disruption, the remaining elements of the greatest contributor to security breach costs boil down to one thing.
While organisations are increasingly recognising the value of a strong brand, they have arguably not yet acknowledged the full cost of damage to the brand they’ve worked so hard to build.
There are two key areas where brand damage costs an organisation significantly: customers that leave and don’t return; and reputational damage and loss of trust.
Data breaches cause the loss of more or fewer customers depending on the industry you’re in. A US survey found that consumers are most likely to shop with a retail store (42% would return) and least likely to shop with a rideshare service (7%) after a breach. A global survey revealed disparities between countries in terms of customers who would stop buying from a company immediately following a data breach and those who would never return. In the USA, 83% of customers would stop spending for a few months, while ‘only’ 21% would do so permanently. In Australia, those numbers are both 43% : twice as many Australians are concerned about data breaches longer-term – and will never return to a brand. Interestingly, younger people are more concerned (or at least more willing to do something about their concern) – 63% of 18-24-year-olds say they have permanently stopped using a firm’s services following a breach, compared with 42% of 35-44-year-olds.
As with lost customers, reputational damage is incurred for both the short and long term. One of the most famous breaches in history occurred in 2013 when Target in the US was impacted. Their brand rating dropped by more than half the following year and was still below its original level five years later. No wonder reputational/ brand damage is number five on the top ten list risks faced by organisations.
Using brand to protect against damage
Fundamentally, damage to brand, reputation and customer numbers comes down to lost trust. An organisation’s response to a security breach can help rebuild trust, and the brand plays a key part in this, both before and after the breach.
Before a breach, if an organisation has a strong brand, it is akin to a suit of armour protecting the company. Many organisations are focusing on building trust (fortifying their brand armour), some through “trust strategies” and setting “brand trust goals”. But ultimately it boils down to being authentic and transparent, from leadership through to messaging. Look at Marriott – the hotel conglomerate had not one but two huge security breaches in 2019 and 2020,  but they are still one of the leading hotel chains in the world.
After a breach, there are some golden rules to follow to proactively gain trust:
- Announce the damage quickly – 90% of consumers expect to be informed within 24 hours if their service provider has suffered a data breach which could have compromised their data.
- Commit to, and undergo, regular security audits. This is one of the steps that Marriott took after their first data breach.
- Address the breach quickly and transparently. Again, Marriott learned their first lesson and communicated clearly with their customers about the second breach and what they were doing about it, including setting up a website where customers could check if their data had been compromised.
In a world where attacks on data will continue to increase, building and maintaining brand trust is imperative. Implementing and maintaining a high level of security around personally identifying data will always be your first plan of attack. However, should your brand be exposed to a data breach it is the suit of armour you have built up over time which will define how much damage will be inflicted.
 IBM, ‘Cost of a Data Breach Report 2021’
 IBM, ‘Cost of a Data Breach Report 2021’