A company’s reputation and brand image is an important corporate asset that can play a pivotal role in determining the success of the organisation. Should something happen that compromises this asset and negatively impacts the public’s perception of the firm, the effects can be devastating. A data breach incident will inevitably call into question the company’s credibility, as it is put under a microscope and examined on how it handled the issue; pre and post breach. An example of the kind of reputational damage an attack can have was demonstrated when cybersecurity experts urged parents to boycott VTech's electronic toys after 700,000 British children were affected by a data breach earlier this year.
Although there appears to be a growing appreciation of the impact a data breach can have on a brand’s reputation, with the recent European edition of our Data Threat Report revealing that ‘reputation and brand protection’ is now the most important reason for securing sensitive data, UK organisations continue to strongly associate compliance with security, despite data breaches continuing to affect organisations that have been certified as compliant. In fact, when asked about IT security spending plans, ‘compliance’ came out on top, with 48% of respondents citing it to be their number one priority. The truth is, even if you are adhere to any number of regulations, you can still be breached, and the impact of a breach is rarely mitigated by simply stating you were compliant.
A case in point is the TalkTalk breach from last year. Initially, when asked if affected customer data was encrypted or not, Dido Harding, CEO of TalkTalk replied: "The awful truth is that I don’t know". When it was revealed the data had, in fact, not been encrypted, Harding refused to apologise to customers, on the grounds that the security measures in place met compliance requirements. The incident ultimately led to the loss of around 250,000 customers. Although not legally obliged, had TalkTalk taken the precaution to encrypt more customer data anyway, perhaps the subsequent damage to brand and company reputation could have been avoided. Aside from the obvious financial implications associated with brand damage, every organisation has a level of corporate social responsibility to all of its stakeholders. When a company is entrusted with sensitive data, it is its responsibility to demonstrate a commitment to implementing best practices, which can stretch beyond the interests of the firm and that which is required by law, by utilising all the knowledge and technology at their disposal to ensure that all their data remains secure.
In the current climate, where data breaches are considered an inevitability, there is simply no excuse for not encrypting data to ensure that when it is stolen, it is rendered illegible and of no use to anyone. Organisations seeking to protect their reputation should not ask themselves if they’ve merely encrypted everything that compliance regulations mandate them to, rather they must simply ask, is all my customer data encrypted?