If you’ve been following the news recently, you’ve seen the torrent of information about Sony’s recent hacking. Given the increasing prevalence of major data breaches in every industry, there are lessons for large organizations hidden among the public reaction. Here are 5 insights I’ve gathered:
1: Digital includes risk
The average employee sends and receives 30,000 emails per year (115 per day in 2013 * 260 workdays per year). That’s just email. Much of our lives have migrated online—banking, SMS, healthcare information, and so on. Consumers and companies alike should recognize two things: digital has made much of our daily activities easier and more efficient, but that convenience and connectivity includes some data risk—those databases remain (with all the less-than-thoughtful messages contained within), and perfect security is impossible. In the long-term, the risk of a breach happening is very high, and understanding this—for consumers and companies—is critical for being able to react to them.
2: The math on security has changed
There’s no question that data breaches have increased in recent years. According to idtheftcenter.org, breaches across all sectors increased by an average of 25% per year between 2005-2013. These have included everything from emails, to user IDs, to credit card information to Social Security numbers.
Sony’s VP of security remarked a few years ago that it was a defendable business decision to hold off on investments in data security if it might cost more than simply enduring a breach. However, in this age of data security risk, the cost of a breach is more than just the value of stolen intellectual property and offering services to protect personal information. It also includes the cost of lost trust in the organization—trust that’s essential for maintaining a positive relationship with stakeholders. Trust might not fit on a financial statement, but it’s the currency with which a brand operates in the market.
3: Anticipate how the breach will be understood
When a breach happens, the reputational context in which it happens will determine how consumers react. Sony’s recent hacking affected employees the most—all blameless. Yet some of the public reaction included finger-pointing at Sony instead of the hackers, as if they’d invited it. Of course, no company (one hopes) would ever intentionally leak employee data or invite hackers to do so. But if the organization has a history of data security crises, some unfair blame is bound to be pointed towards the organization. It’s essential to have a well-communicated plan in place to improve your data security after it happens.
4: Reestablish trust with the right spokesperson
It’s important to consider who the organization chooses to represent them in a crisis. When it’s a data breach or other information-related crisis, a senior technical officer should take the lead in communicating the problem, the consequences, and the next steps the organization will take to protect its employees and customers.
5: Take care of the victims
When a data breach happens, how you communicate your reaction to the breach is essential. If your employees or consumers have private information exposed, immediately share your plan to protect them, in detail. If the victims lost identity information, employ services to help them keep track of their credit and identities. The initial costs may seem high, but the return in trust will be huge.
What has interested you most about the current discussions regarding data security?