Written by Ruth Kinzey
As current events clearly illustrate (Adobe, Target and eBay breaches), there is more to cyber breach than lost data – a massive cyber incident has also the potential to deeply harm the victim /company’s reputation. Today we would like to explore the issue of reputation management with regard to cyber threats.
For this we have invited Ruth Kinzey, who kindly agreed to share herviews on the topic.
Ruth Kinzey, MA, is a reputation strategist with more than 35 years of communications experience. Ruth is a professional speaker, consultant, author, trainer, and adjunct faculty member of Rutgers University. She is founder and president of The Kinzey Company, an organization dedicated to helping clients proactively and strategically enhance and protect their reputations.
Q: How does strategic reputation management differ from PR or online reputation management?
Both public relations and online reputation are part of the strategic reputation management equation. Being strategic about an organization’s reputation means taking a holistic view by analyzing multiple audiences and communication channels; determining how well aligned the company is within itself; and examining the context in which the business operates. The organizational context takes into account the potential impact local, national and even international events can have on an organization’s reputation in addition to what is happening in the institution’s industry or sector as well as the culture of the firm.
The goals of strategic reputation management are to proactively enhance an organization’s reputation and to help protect it in times of crisis. Consequently, it’s also necessary to understand the organization’s current reputation as well as its reputational goals.
Q: What are the challenges of reputation management in today’s world of cybercrime and cyber warfare?
The cyber world is a bit like the “Wild West.” Laws are not consistent from country to country. Judicial rulings are challenged to keep pace with cyber crime. And while breaches, which impact the privacy of individuals and organizations, can be significant – even catastrophic, the perpetrators must be caught before they can be dealt with aggressively. So, the problem with “cyber lawlessness” is that it financially victimizes the institution and its many stakeholders and can tarnish reputations. This is why every organization should assess and manage its cyber risk.
System vulnerabilities must be identified, prioritized, and mitigated as much as possible. Because hackers are enterprising and highly likely to find weak links in the operating system that an organization may not even realize are present, a crisis plan should be created, too. That way, when a company – or even a nonprofit – is in the midst of dealing with some type of “cyber atrocity,” the organization isn’t trying to make important decisions such as when to notify government agencies, law enforcement, and customers. The institution also isn’t scrambling to determine the best way to contact customers or shareholders or what they should do to help clients or employees best manage the breach.
Without developing cyber risk mitigation measures and carefully constructing a crisis plan, an organization is going to lose more than data. The breach will lead to a reputational disaster, too, because the company will not be prepared on either front. Depending upon the degree of damage that occurs, the business may or may not be able to recover.
Q: Do you think today’s C-suite and upper management understand the impact a cyber incident could have on the organization’s reputation? And, do you believe they are doing anything to mitigate it?
One cannot listen to the news without recognizing the likelihood of a cyber attack. And, there are many businesses – even departments within the government – that have experienced data breaches. Consequently, there are case studies explaining what happened, how the organization managed the crisis, and the resulting reputational impact. So, senior leadership understands cyber crime is a very real threat to an organization’s operation and reputation.
However, is upper management doing anything to mitigate it? That is a very different question. And, the response varies from company to company.
Dealing with cyber crime requires vigilance and money, particularly as hackers become more and more sophisticated in their techniques. Senior leadership and the government are recognizing the importance of collaboration and information sharing. Industry and professional organizations are realizing they have a role in bringing together members to focus on the cyber crime issue and to help tackle this worldwide problem as well.
Q: Which is more harmful: insufficient security of corporate information or customers’ information? What could lead to greater reputational damage?
Both are harmful and both have the potential of damaging reputations. Depending upon the amount and type of data compromised, an individual could experience financial devastation and significant reputational damage. The actions of a business – before, during and after a cyber attack – could result in catastrophic financial implications as well as a severely damaged reputation.
People want to know the company has taken appropriate measures to protect data and that the business is doing all it can to keep personal information safe. In addition, the public wants a trustworthy business partner that keeps them informed about security issues and is willing to help them during the aftermath. A company not perceived as behaving in a proactive and trustworthy manner will experience even greater reputational damage.
Q: How can reputational damage be contained?
It is impossible to entirely contain reputational damage because an organization’s reputation is ultimately in “the eye of its beholder.” Having said this, there are steps a business can take to help reduce the severity of reputational damage.
First, it is important for the company to proactively enhance its reputation through actions such as exemplary customer service, ethical and transparent conduct, and environmentally and socially responsible behaviors. Model performance builds trust and goodwill. This positive reputation helps the public believe in the good intentions of the organization, which causes a more favorable opinion and generates support during times of trouble.
Having a crisis management plan, which includes communication, will help an organization better protect its reputation when in the midst of a cyber attack. Minutes count in any crisis, so having protocols and procedures established improves an organization’s responsiveness to the situation and enables the firm to respond to its many stakeholders in a more thoughtful, strategic manner – both during and after the cyber crime.
Q: Can reputational data be measured?
Yes. But the methodology can vary, depending upon what is being measured.
Insurance companies are paying closer attention to the impact a negative reputation has on a company’s success. Some insurers even offer public relations or media relations assistance when they become aware of potential crises being faced by clients. Other agencies offer reputation insurance because they are keenly aware of the financial impact involved when reputational loss occurs.
If publicly owned, the investor relations department may judge the degree of reputational capital the organization has by factors such as the stock price or number of investors; whereas, the marketing department may measure the number of lost customers, customer feedback, and overall lagging sales. On the other hand, the media relations department may judge the status of the company’s reputation by the types of media inquiries, the tone of articles, the frequency of references to the company in relation to a security breach, or other even more sophisticated parameters. And, there are many online agencies that examine the social profile of a business and offer reputational insights in conjunction with this.
So, reputation – both positive and negative – can be measured. But, it is important to know exactly what you are trying to measure and to have objectives clearly in mind before selecting the best form of measurement to capture this information.
Q: Can an organization’s reputation recover after a cyber attack?
It is possible for an organization to recover after a cyber attack. However, this is primarily dependent upon the company’s actions before, during and after the occurrence of this crime.
The public wants to know the firm took appropriate precautionary steps. Were systems in place to help mitigate such attacks? Was management vigilant and issues escalated upon detection?
Also, were victims – and potential victims – notified quickly about the compromise in security and kept abreast as to how their data was affected? Even if a firm doesn’t know the full implications of the breach, it’s a good idea to offer general information and to provide suggestions for protecting personal data.
Not only is a company’s conduct important prior to and during the unfolding of a cyber attack, but people judge a business on its behavior after such an incident. Does the firm demonstrate its understanding of the gravity of the situation? What actions will it implement to try to protect against the same type of situation from occurring again? Are people within the institution being held accountable, particularly if the event was preventable or could have been better contained? Is the organization trying to help victims by taking steps such as offering free credit monitoring?
Overall, the public can be amazingly forgiving, if a business has a good reputation and demonstrates exemplary conduct in how it manages a cyber attack. If this is the case, even if there is a dip in stock performance or lower sales in the short term, people will return. However, if the business has not been proactive in trying to protect its data, lacked transparency in its reporting, or failed to demonstrate its genuine regret for what happened, it will be much more difficult to regain customer, investor, government and public trust.