Customers lose confidence – data breaches aren’t just about fines

A recent survey by Ping Identity shows that customers move away from brands that have suffered data breaches.

Data breaches are now a common occurrence – big-name brands affected in 2018 include FIFA, British Airways, Vision Direct, Eurostar and Marriott. These are just a few of the household names that have suffered at the hands of criminal hackers this year and under ongoing investigation; any penalties have yet to be confirmed.

It is essential for organisations of all types and sizes to do their absolute best to reduce the risks of a data breach. Not just because regulations and standards such as the GDPR (General Data Protection Regulation) and PCI DSS (Payment Card Industry Data Security Standard) demand it, not just because of the impact a breach has on daily operations, but because there is now statistical proof that customers will abandon brands that suffer a breach.

The risk of long-term reputational damage cannot be ignored.

The report’s key findings

Ping Identity surveyed more than 3,000 consumers from France, Germany, the UK and the US to examine Attitudes and Behavior in a Post-breach Era. The report states its key findings as:

  • One in five people (21%) have been victims of a breach. Of that segment, 34% experienced financial loss.
  • Following a data breach, 78% of people would stop engaging with a brand online. Furthermore, nearly half (49%) would not sign up and use an online service or application that recently experienced a data breach.
  • More than half of consumers (56%) are not willing to pay anything to application or online service providers for added security to protect their personal information.
  • 59% prioritize the protection of their personal information when interacting with an online application or service, compared to only 12% who prioritize a convenient, straightforward user experience and 7% who prioritize a personalised user interface.

Although consumers are increasingly aware of risks and prioritise safety when choosing which platforms to interact with, the third finding highlights the fact that they still consider information security to be a corporate responsibility rather than a personal one.

How can organisations reduce risk?

  • Understand, align with and operate within the regulatory requirements of your industry. Whether that is the PCI DSS, the GDPR, Cyber Essentials certification or the NIS Regulations, compliance with regulatory frameworks will ensure you take the best steps to reduce risk as well as enabling you to effectively respond if you do suffer a breach.
  • Train your staff. Human error remains the leading cause of data breaches, so creating a cyber security culture in the workplace is the best defensive strategy. Training can be classroom-based, but there are other options such as e-learning, in-house training courses, and – of course – books for independent learning. Our staff awareness page is a great starting point, outlining areas for consideration and possible next steps.
  • Remain vigilant at all times. Within the realm of cyber security, being a little bit paranoid is a healthy approach. No one is too big (as seen from the names that have hit recently the headlines), nor too small. A 2018 survey revealed that SMEs are unprepared for cyber attacks despite 25% of them believing it is a matter of ‘when, not if’. The average cost for an SME to recover from an incident is about £90,000, so small organisations should invest in security measures to reduce risks.

Gartner predicts that global security spend will reach £71.72 billion by the end of the year due to four factors: regulatory change, buyers’ mindset, growing awareness of threats and changing to a digital business strategy. With more than 40% of UK businesses experiencing some form of cyber security attack or breach in the last 12 months, it is easy to see why organisations are looking to invest.

However, when building your business case for investment, don’t forget to consider the potential long-term damage a breach could cause to your brand and the human instinct to withdraw from danger. No organisation can easily survive losing 78% of its potential audience.

Download our data breach survival guide and prepare your own data breach response plan.