Avid readers of the Malwarebytes Labs blog would know that we strive to prepare businesses of all sizes for the inevitability of cyberattacks. From effectively training employees about basic cybersecurity hygiene to guiding organizations in formulating an incident response (IR) program, a cybersecurity policy, and introducing an intentional culture of security, we aim to promote proactive prevention.
However, there are times when organizations need to be reactive. And one of these is business reputation management (BRM), a buzzword that refers to the practice of ensuring that organizations are always putting their best foot forward, online and offline, by constant monitoring and dealing with information and communications that shape public perception. This is a process that executives must not miss out on, especially when the company has found itself in the center of a media storm after disclosing a cybersecurity incident that has potentially affected millions of their customers.
In this post, we look at why companies of all sizes should have such a system in place by having a refresher on what forms a reputation and how much consumer trust and loyalty have evolved. We’ll also show you what proactive and reactive BRM would look like before, during, and after a cybersecurity fallout.
Reputation, like beauty, is in the eye of the beholderA company’s reputation—how clients, investors, employees, suppliers, and partners perceive it—is its most valuable, intangible asset. Gideon Spanier, Global Head of Media at Campaign, has said in his Raconteur piece that it is built on three things: what you say, what you do, and what others say about you when you’re not in the room. Because of the highly digitized and networked world we live in, the walls of this room have become imaginary, with everyone now hearing what you have to say.
Looking up organizations and brands online has become part of a consumer’s decision-making process, so having a strong and positive online presence is more important than ever. But to see that only 15 percent of executives are addressing the need to manage their business’s reputation, there's clearly work to be done.
Consumer trust and loyalty evolvedBrand trust has grown up. Before, we relied on word of mouth—commendations and condemnations alike—from friends and family, the positivity or the negativity of our own and others’ experiences about a product or service, and endorsements from someone we look up to (like celebrities and athletes). Nowadays, many of us tend to believe what strangers say about a brand, product, or service; read the news about what is going on with institutions; and follow social media chatter about them.
The relationship between consumer trust and brand reputation has changed as well. While mainstream names are still favored over new or unfamiliar brands (even if they offer a similar product or service at a cheaper cost), connected consumers have learned the value of their data. Not only do they want their needs met, but they also expect companies to take care of them—and by extension, the information they choose to give away—so they can feel safe and happy.
Of course, with trust comes loyalty. Weber Shandwick, a global PR firm, has reminded business leaders in their report, The Company behind the Brand: In Reputation We Trust [PDF], has found that consumers in the UK tend to associate themselves with a product, and if the company producing that product falls short of what is expected of them, they bail in search for a better one, which is usually offered by a competing brand. It’s not hard to imagine this same reaction from consumers in the United States in the context of stolen customer data due to a company-wide data breach.
Business reputation management in actionThe possibility of finding their business in the crosshairs of threat actors is no longer just a possibility, but something executives should always be prepared for. The good news is that it’s not impossible to protect your business reputation from risks.
In this section, we outline what businesses can do in three phases—before, during, and after an attack—by illustration based on a real-world scenario to give organizations an idea on how they can formulate a game plan to manage their reputation now or in the future. Note that we have aligned our pointers in the context of cybersecurity and privacy incidents.
Before an attack: Be prepared for a breach
- Identify and secure your company’s most sensitive data. This includes intellectual property (IP) and your customers’ personally identifiable information (PII).
- Back up your data. We have a practical guide for that.
- Patch everything. It may take a while, and it may cause some disruption, but it’ll be worth it.
- Educate employees on basic data security measures, social engineering tactics, and how to identify red flags of a potential breach.
- Put together a team of incident responders. That is, if the company has decided to handle incidents in-house. If this is the case:
- Provide them the tools they will need for the job.
- Train them on how to use these tools and on established processes of proper evidence collection and storage.
- Create a data breach response plan. This is a set of actions an organization takes to quickly and effectively address a security or privacy incident. Sadly, according to PwC’s 2018 Global Economic Crime and Fraud Survey, only 30 percent of companies have this plan in place.
- Once created, make sure that all internal stakeholders—your employees, executives, business units, investors, and B2B contacts—are informed about this plan, so they know what to do and what to expect.
- Learn the security breach notification laws in the state your business is based in. Make sure that your company complies with the legislation.
- Establish an alert and follow-through process. This includes maintaining a communication channel that is accessible 24/7. In the event of an attack, internal stakeholders must be informed first.
- On a similar note, create a notification process. Involve relevant key departments, such as marketing and legal, in coming up with what to say to customers (if the breach involves PII theft), regulators, and law enforcement, and how to best notify them.
- Depending on the nature of your company and the potential assets that may be affected by a breach, prepare a list of possible special services your company can offer to clients that may be affected. For example, if your company stores credit card information, you can provide identity protection to clients with a contact number they can call to avail of the service. This was what Home Depot did when it was breached in 2014.
During an attack: Be strategic
- Keep internal stakeholders updated on developments and steps your company has taken to mitigate and remedy the severity of the situation. Keep phone lines open, but it would be more efficient to send periodic email updates. Create a timeline of events as you go along.
- Identify and document the following information and evidence as much as you can, as these are needed when the time comes to notify clients and the public about the breach:
- Compromised systems, assets, and networks
- Patient zero, or how the breach happened
- Information in affected machines that has been disclosed, taken, deleted, or corrupted.
- If your company has a blog or a page where you can post company news, draft up an account of the events from start to finish and what you continue to plan on doing in the next few weeks following the breach. Be transparent and effective. This is a good opportunity to show clients that the company is not just talking the talk but also walking the walk. The Chief Marketing Officer (CMO) should take the lead on this.
After an attack: Be excellent to your stakeholders
- Notify your clients and other entities that may have been affected by the breach.
- Put out the company news or blog post the company has drafted about the cybersecurity incident.
- Send out breach notifications via email, linking back to the blog, and social media.
- Prepare to receive questions from clients and anyone who is interested in learning more about what happened. Expect to have uncomfortable conversations.
- Offer additional services to your clients, which you have already thought out and prepared for in the first phase of this BRM exercise.
- Continue accepting and addressing concerns and questions from clients at extended periods for a certain length of time.
- Implement new processes and use new products based on post-incident discussions to further minimize future breaches from happening.
- Rejuvenate stakeholder’s confidence and trust by focusing on breach preparedness, containment, and mitigation strategies as proof of the company’s commitment to its clients. This can turn the stigma of data breaches on its head. Remember that a breach can happen to any company from any industry. How the company acted before, during, and after the incident is what will be remembered. So use that to your advantage.
- Audit the information your company collects and stores to see if you have data that is not necessarily needed to fulfill your product and service obligations to clients. The logic behind this is the less data you keep about customers; the less data are at risk. Make sure that all your stakeholders, especially your customers, know about which data you will not be collecting and storing anymore.
- Following a breach in December 2015, Wetherspoon deleted its entire database of customer email addresses, which was their way of minimizing the amount of data they stored about their clients.
- Recognize the hard work of your employees and reward them for it. Yes, they're your stakeholders, too, and shouldn't be forgotten, especially after the event of a cybersecurity incident.
Business reputation management is the new blackIndeed, businesses remains a favorite target of today’s threat actors and nation states. It’s the new normal, at this point—something that many organizations are still choosing to deny.
Knowing how to manage your business’s reputation is seen as a competitive advantage. Sure, it’s one thing to know how to recover from a cybersecurity incident. But it’s quite another to know what to do to keep the brand’s image intact amidst the negative attention and what to say to those who have been affected by the attack—your stakeholders—and to the public at large.