How to minimise the customer impact of a cyber attackby
Cyber security and the threat of data breaches are a significant and increasing problem for many organisations today. A data breach has the potential to severely damage one of the most important assets an organisation has - its reputation.
No company is safe. Recently, we have seen companies targeted from telecommunications to financial services, retail, entertainment and healthcare. The threats to an organisation's data security come from a variety of places including bedroom hackers, organised criminal gangs and even state-sponsored operations. And the threat is growing. GCHQ, the UK Government's security and intelligence organisation has said that 9 out of 10 major UK businesses have been attacked in the past year.
The total cost to an organisation in terms of costs per customer record breached was a staggering £104 in the UK and $214 in the US*
Whilst companies big and small can do more to prevent issues, from internal security awareness, encryption and intruder detection software, the fact remains that no one can be made completely immune.
Loss of loyalty
So, what's the impact if a data breach occurs? Studies have shown that reputational damage and the loss of customer loyalty following a breach severely hits an organisation's bottom line. Net Promoter Scores typically suffer heavy falls of 30 – 40 points immediately and take months to recover. Even then the long term loss of trust is not something that is easily regained. Whilst certain industries, like financial services and healthcare, appear to be especially hard hit by customer turnover, all feel the effects of such an incident.
A 2015 study by the Ponemon Institute calculated that the total cost to an organisation in terms of costs per customer record breached was a staggering £104 in the UK and $214 in the US. More than half of this amount is due to indirect costs such as higher than expected customer churn. If you then consider that the volume of customer records breached can run into hundreds of thousands and more, the true cost to an organisation can be staggering and could even threaten their future existence.
So, if we assume that companies big and small are at significant risk of a cyber-attack and the impact could be huge, what can organisations do to lessen the impact if the worst does happen?
Here are some steps that could help protect your organisation's reputation:
Have a Plan Ready
Be prepared by having a crisis management procedure in place to follow in the event of a breach. Often organisations spend valuable time working through the details after the event. This is crucial time wasted. Maybe the actual response won't be identical to the plan due to particular circumstances but the heavy lifting should be done in advance. Train staff up front so they are prepared. As part of the preparation, it's also advisable to check what customer data you actually hold. It will save time in a crisis if this information is already known.
Part of this planning should include gathering and closely monitoring customer feedback in real time. By doing this, organisations can spot unusual activity such as customers experiencing unwanted communication from third parties, purporting to be from your company, which could indicate a data breach. Staying close to the voice of your customers can be your first line of defence.
You will be judged by the length of time between the issue and disclosure. Waiting a few days to learn more about what happened and considering your response is likely to make matters considerably worse. There is a definite trade off here in terms of early disclosure versus gaining more knowledge of the issue (scale, root cause and solution) before disclosure. However, alerting customers and the public to issues immediately can help stem some of the long-term reputational damage that inevitably comes from any scenario that gives the impression of a cover up. Leave it a week or more and you can practically guarantee a long-term disaster.
Be Honest and Take Responsibility
Pretending it was only 5,000 customers whose details you lost when it subsequently turns out to be 50,000 is not good practice. If necessary, in the early stages, you may need to overestimate the impact. Better to do that and row back later than the other way around. The bottom line is that overly-focusing the blame on the hackers is not the right approach. It was your company's failure to protect your customer's data that is the issue here – confess and apologise!
Communicate with your Customer
This is the most important step. How you communicate with affected customers will make or break your response. A common complaint among customers from previous breaches is that organisations fail to keep affected customers informed. It's vital that organisations are clear on what happened and what they have done to fix it going forward. Having a strong Voice of the Customer (VoC) programme to really understand the customer experience if your organisation is hit with a cyber-attack is vital. By being able to measure the impact on your customer experience in real time, and across a large volume of customers, you can truly understand the customers who are concerned. Organisations need to address these concerns head on. With a VoC programme you have the opportunity to reach out to them to address these concerns in a very targeted and specific way. Customers can be educated on ways they can help prevent future issues.
The use of online FAQs and knowledgeable customer facing staff is also key. So is social media. A one-to-one conversation with a contact centre agent is very different to a tweet or post that can be quickly viewed by thousands of people. Your social media response will be vital here. Ultimately, it's a combination of empathy for the issues you have caused and reassurance that you have got on top of the issue that is key. No one can guarantee that they will be immune from future cyber attacks but by demonstrating what happened and what you have done, you can begin to rebuild trust.
Leave it a week or more and you can practically guarantee a long-term disaster.
Increasingly, organisations are also offering free products and services as part of their response. This can have a place as a 'cherry on the top' of the other activities but on its own it could appear fairly hollow. No matter how much free stuff you give, if you can't protect my credit card details I don't think I want to be a customer. That said, free subscriptions to credit reference agency monitoring and alerts, free PC security software and other free services can help to rebuild your reputation especially when they do have some form of link to the issue such as the credit alerts. Simply waiving someone's line rental on a monthly phone contract may be accepted by a customer but is unlikely to lead to a rebuilding of trust.
If you follow some or all of these principles it's highly likely that the reputational risk will be minimised. And remember this, the actual customer impact of a data breach may naturally lessen over time as more and more people experience one. If that's the case, it's also highly likely that customers will judge organisations far more on their response to the breach rather than on the breach itself.
* A customer record would be information that identifies the individual whose information has been lost or stolen in a data breach. Examples can include a retail company's database with an individual's name associated with credit card information and other personally identifiable information.