For quite some time now, we've been running consumer surveys around the world through global survey provider Wakefield on topics that are of interest to not just people like you and I, since I assume most people who will read this have some interest in IT Security - or even Data Security, but to people who don't work in our full time world of technology immersion, threat awareness, compliance, regulation and risk reduction.
In November of 2016 (last month as I write this), we ran surveys in the United Kingdom and Germany with the same sets of questions, oriented around brands, data breaches customer loyalty.
Why is brand such an important topic? I will submit that if you consider yourself "human" in the broad sense of the word, you probably have some particular brand of apparel, food, hotel, cosmetic, music service, physical recreation site, automobile, smartphone, gaming environment, or other category of item with a purveyor or manufacturer that consistently delights you, and that you return to time and again. Perhaps it just makes you smile to see it. Or it could be that every time you try something not from that brand, it's just a disappointment. Places like Proctor and Gamble are admired as having turned branding into high art and science. Done right, it's a powerful experience that organizations across the globe long to create in their customers.
And it is seriously at risk today regardless of how wonderful this experience is. No brand, no organization is safe.
What our surveys found: Lose your Customer's Data - Lose your Customer
I feel a little bit like a character from the Harry Potter series when I have to talk about this - And that would be Mad-Eye Moody. Mad-Eye's mantra (as it's known) is "Constant Vigilance!" (all credits for Harry Potter characters and references to J.K. Rowling). But it's not just about vigilance against ransomware, fraudulent transactions, or network attacks, it's about keeping the brand's customers data safe. Sure - The network has to keep working. Web applications have to have decent response time, and not become havens for fraud. And desktops can't come to a screeching halt - or work can't get done. But if you lose your customer's data, and there are meaningful consequences for those customers, then there is a high probability that your organizations crown jewels of the brand have just been reduced to ashes. And we have survey information about how important this is, not just from last month in the U.K and Germany, but from a similar survey a year ago here in the U.S.
Let's start with that U.S. data from December of 2015. Find our news alert on the topic here.
First, a data breach with yet another offer in the mail for free credit reporting isn't the trigger for most people. Frankly, most people have probably had at least 3 to 6 of these in the last several years. I challenge you to check up during the upcoming end of year holiday season with your family. Unless your relation is no longer active (or too young to be so) I think you'll find they've probably received multiple notices of this type. What people do care about is when something real, that affects their day-to-day lives happens. In that U.S. survey 85% responded that if there were some of those real consequences from a retail breach, they would find a new place to shop. Here's what they were:
- 84% overall ... Selected at least one of the items below as a reason to stop shopping at their favorite retailer
- If money was taken from their checking account (67%)
- If unauthorized charges appeared on their credit card (62%)
- If personal information were leaked (57%)
- If their credit score was damaged (54%)
In the U.K., people responded that if an organization had multiple data breaches - 84% overall - that they were going to reduce or eliminate their use of their product or services. The numbers were even worse in Germany - 91%.
If you found out an organisation whose products or services you use had multiple data breaches, which of the following best describes how you would react?
16% – 8% – I would continue to use their products or services as usual
27% – 23% – I would limit my usage of their products or services
37% – 37% – I would only use their products or services if I had no alternatives
20% – 31% – I would stop using their products or services completely
I think the first thing to think about is the immediate cost. 20-31% of people would immediately stop using products or services. And, another 37% would use them only if they had no other choice. Even if people are as inconsistent as usual, some large percentage of over 50% would be an immediate loss.
If your personal information were stolen in a data breach of an organisation you do business with, which of the following would you be most concerned about?
38% – 40% – My identity being stolen
48% – 36% – Money being stolen from my bank account
9% – 19% – My account login information being stolen
7% – 5% – Receiving more spam emails
The next thing to think about is what KIND of data about your customers you are keeping, and for how long. Financial data, obviously the most regulated, and at the top of most people's list. But it's the next tier down at identity theft that enterprises should think most seriously about. Are you keeping around enough data about your customers that this could happen? If you are why? And how long do you really need to keep it? Do you really know where it is? Of has it somehow leaked from your production environment into Dev., Test and QA to become much more exposed and at risk?
Keep asking yourself these questions until you have a reasonable idea of what you don't know, and you'll be able to better quantify this risk.