In-Depth

How Security Breaches Impact Your Brand

New study shows disconnect between executives' understanding and action

• By James E. Powell
• 10/31/2006

The results of the latest CMO Council study should give pause to corporate management. The group polled consumers, executives, and marketers, concluding that companies are failing to keep pace with the financial, customer, and brand implications of information security. In its report, “Secure the Trust of Your Brand—How Security and IT Integrity Influence Corporate Reputation,” the largest research initiative on the impact of security on corporate brands and business value, one thing is clear: actions don’t meet awareness.

Security breaches are certainly widespread: The FTC reports that in 2005 more than 52 million account records held by 9 million Americans were in jeopardy because of security breaches, creating a cumulative ID theft loss of over $54 billion—or $5,885 per person. Another 30 million cases were reported so far this year.

The costs aren’t just high to customers; they are high for corporate profits. The council notes a Ponemon Institute study reporting that companies experiencing a data breach spent an average of $14 million on recovery costs, including unbudgeted spending for legal counsel, mail and phone contact with customers, and increased call-center support.

Furthermore, the study reported that 65 percent of consumers say they experienced some kind of computer security problem, with over half saying that would either strongly consider or definitely take their business elsewhere if their personal information were compromised. Executive awareness is also high: 80 percent of the 250 executives and marketers polled noted the growing level of concern for their companies and customers about security.

In fact, among marketers and corporate executives, nearly 84 percent believe security has become a greater business concern over the past year, 83 percent believe it’s a greater concern to their customers, 76 percent say breaches and failures impact brand reputations, 59 percent believe security and IT integrity can be a differentiating factor in the market.

The report notes a disconnect “in what marketers believe and what is being done: 60 percent report that security has not become a more significant theme in their company’s messaging and marketing communications. Just 29 percent say their company has a crisis containment plan for security break-ins and failures,” while another 27 percent doesn’t know if such a plan exists.

Executive response is not much better: 70 percent of executives say that security is a greater concern of their business, and 90 percent say s it’s a greater concern of their customers, but only half maintain they have a specific crisis-containment plan in place.

Executives have cause to worry. An Emory University study found that company losses can range from .63 percent to 2.1 percent of the company’s stock price when a breach is reported, for a market capitalization drop of between $860 million and $1.65 billion per incident. Security problems may also keep customers away; the study notes that security provided to customers is the fourth most-important factor influencing whether a consumer does business with the company (behind products/service quality, treatment of customers, and honesty/ethics).

The report concludes that “A company that delays its response to a breach, provides vague statements, or refuses to comment altogether only increases [the] damage to its reputation that began with the breach itself. A response plan should be designed to demonstrate quickly, clearly, and publicly that a company is fully committed to addressing the problem and undoing any real or potential damage to customers.”