July 02, 2020//Tori TaylorLast Updated: June 06, 2022
Conversations regarding cyberattacks are often limited to the organization that suffered reputational damage from a data breach. We talk about what led to the cyberattack, how it was found and reported, and the associated costs. All of these aspects are important, but there’s a gap in that conversation. Often, the consumers whose sensitive, critical information has been compromised aren’t talked about, or if they are mentioned, it’s only because the company has “graciously” offered a year of identity protection for free. And with all the data breaches that happen, it wouldn’t be surprising if consumers went numb to them. But the thing is, consumers, and in the case of large organizations, auxiliary businesses, are greatly affected by cyberattacks. This leads to skepticism and lack of trust, and as such, consumers are, more than ever, paying attention to what is happening with their data.
According to the 2020 Ponemon report on third-party security, 63% of respondents stated that reliance on reputation is the most common reason for not evaluating the privacy and cybersecurity practices of third parties. In fact, 59% say their organizations rely on signed contracts that legally obligate the third party to adhere to security and privacy practices, which means no evaluation was done before access was granted, and accountability for security protocol is dependent upon a signature. If that reputation is relied upon too easily, it can be damaged just as easily.
PricewaterhouseCoopers (PwC), an audit and assurance company that works in cybersecurity, reported that 69% of consumers surveyed believe that the companies they use are vulnerable to being hacked and attacked by cyber criminals. The same survey found that 87% of consumers are even willing to walk away and take their business elsewhere if, or when, a data breach occurs. These numbers highlight that consumers are not only skeptical of the organizations that have their critical assets, but that they are willing to leave a company who goes through a data breach. With consumers being cognizant of both of these, organizations must implement standards to protect its network from bad actors while also preserving its relationship with consumers.
In the past, the media primarily focused on how a data breach hurt the organization. However, newsworthy cyberattacks highlight that the gears are changing to be more consumer-centric. A good example of this switch is the Equifax breach. As a data breach that still makes headlines, it emphasizes the long, drawn-out journey that both the organization and consumer go through once a cyberattack happens. While the organization affected may leave the news after weeks or months of an attack, the journey for the consumer can last a lifetime since they have to protect their identity once a data breach occurs.
Recent critical infrastructure hacks have also highlighted how the ramifications extend far beyond an organization’s digital walls. The Colonial Pipeline hack resulted in gas shortages across the Southeast, and healthcare hacks have created chaos for hospitals, which can turn into a life or death situation for patients.
A huge part of cyberattacks that is rarely addressed is that the organization needs to do whatever it can to save its brand reputation and image. This is easier said than done. A Forbes Insight report found that 46% of organizations had suffered reputational damage as a result of a data breach and 19% of organizations suffered reputation and brand damage as a result of a third-party security breach. That’s almost half of all organizations surveyed, which is 46% too many.
So what keeps brands afloat post-cyberattack? If and when one happens to an organization, the response to the data breach can make or break their reputation. According to Forbes, those that stay in the headlines are the breaches where the company’s response was questioned and its communication criticized. Although the City of Atlanta wouldn’t typically be defined as a “brand”, the City was in the spotlight for nearly 6 months.
A strong counterexample is Norsk Hydro. When the Norwegian energy company experienced a ransomware attack in 2019, it refused to pay. Instead, the company decided to consult supply chain cybersecurity experts to inspect 30,000 employee credentials and get to the root of the attack. By taking responsibility and steps to better protect their systems in the future, the company saved reputational damage and put themselves in a better position if another attack occurs. The question is: how can other organization’s follow best practices to prevent both organization damage and reputational damage?
The best defense is a good offense. So, protect your organization before a breach even becomes a possibility with critical access management, or the management of all critical, sensitive access points and assets within your organization.
Access management software can prevent the need to comb through and do a deep dive into vast employee and service accounts when something goes wrong. Strong software can help an organization practice role-based access control and regularly audit who accessed what and when.
Zero Trust network architecture is exactly what it sounds like. It means your organization trusts no one, and doesn’t let anyone into your network without you approving it. In addition, that person gets access to only what they need at a given moment – nothing more.
Supply chain and infrastructure organizations like Norsk Hydro contain giant networks and work with a vast amount of third parties. But they aren’t the only ones. If an organization works with third-parties, it needs to protect itself and them. If one of those third parties gets infected, it could come back to them or infect their customers’ networks.
Learn more about various software solutions and how to better protect your organization against the “when, not if” of cyberattacks with SecureLink Enterprise Access.