Back in September 2017, the credit monitoring firm Equifax disclosed a breach that exposed the personal information of more than 140 million people.
The data breach soon turned into a public relations catastrophe, causing major damage to the credit brand’s reputation. Equifax’s Buzz Score — an indication of how negative or positive people feel about a brand — fell 33 points in the first 10 days after the hack was publicized. For context, that’s a 44 percent larger Buzz decline than the one Chipotle Mexican Grill suffered in October 2015 after its E. coli crisis.
Even the best customer service in the world won’t matter for a brand with a damaged reputation. Within the first week after the breach, Equifax lost four billion dollars in stock market value, and its costs directly associated with the breach totaled an additional $439 million by the end of 2017.
Equifax isn’t an exception — cyberattacks attacks are happening, and with a vengeance. CenturyLink, in its 2018 Threat Report, revealed that it tracked 195,000 threats, on average, every day. In fact, by 2021, cyber researcher Cybersecurity Ventures has estimated the world’s annual cost of cybercrime to be $6 trillion.
In the meantime, compliance with new online regulations continues to be a challenge and many are still adjusting to the new normal created by the European Union’s General Data Protection Regulation.
Coming out of National Cybersecurity Awareness Month and into the new year, it’s a good time to step back and think carefully about why beefing up cybersecurity and regulatory compliance may be one of the most important steps a company can take to protect its reputation.
Here are a few simple rules to keep in mind.
Speak In A Language That Motivates And Makes Sense
Team members whose jobs are not centered on compliance — customer service or sales, for example — may be tempted to circumvent cybersecurity best practices as they go about their day-to-day jobs.
When security efforts cause additional work that distracts from primary tasks, it’s easy to understand why employees will choose noncompliant behavior. They essentially opt for efficiency over security.
An effective way to help employees fight that temptation is to focus on the value behind prioritizing these efforts and the reasons why doing so will positively impact their individual job functions.
For customer-facing roles, for instance, it might help to ditch the jargon and simply explain that regulators are enforcing these new rules because consumers demand them.
David Wagner, president and chief executive officer of Zix, an email security company, explains that value: “Most adults have fallen victim to a data breach and are increasingly appalled by how companies misuse their personal data. [They] want to work with companies that can prove they take data protection seriously.”
Making cybersecurity and compliance part of everyone’s primary function — and explaining it in a way that employees understand — goes a long way toward remaining compliant and gaining customer confidence.
Be An Example For Your Team
Cybersecurity isn’t just an issue for IT. Every single employee can affect a company’s level of security depending on what they do — or don’t do — as they carry out their day-to-day responsibilities.
Cybersecurity is every employee’s responsibility. But employees are unlikely to prioritize cybersecurity and regulatory compliance best practices if leadership doesn’t set a good example.
One way to keep motivation high is to find ways to incentivize those who follow or support a culture of cybersecurity. Companies that send out weekly cyber tips emails might reward those who read them by entering those employees into a gift card raffle. Gamifying cybersecurity awareness can be as simple as offering prizes to those who complete supplemental security training programs, report phishing messages, and engage in other pro-security activities.
Experts suggest employing a rigorous patch management system to keep track of which employees are installing software updates and which ones are falling behind. But while there may be consequences for those who fail to keep up with recent patches, try to find opportunities to publicly praise those who are practicing good security hygiene.
Know Where You’re Vulnerable
No two businesses have the same exact cybersecurity risks and threats. Assessing those risks first allows a business to address its most critical vulnerabilities — and keep existing systems as efficient as possible — rather than attempting to prioritize all cybersecurity efforts at once.
To start the process, some businesses hire third-party companies to conduct the risk assessment, although that can be expensive. Others decide to complete that assessment in-house, though it’s worth considering that some industries requires special certifications that only specialists can provide.
Depending on the risk assessment, common next steps include exposing employees to online phishing simulations, scanning websites and networks for vulnerabilities, and securing physical devices.
Most cybersecurity practices, though, are only as effective as the employees who enact them. Keeping hackers at bay ultimately comes down to both identifying risks and consistently defending against those risks. Only companies who do both will have the best chance of keeping cyberattacks — and damaging PR catastrophes — at bay.