In the SRS (Security Rating Service) space, customers often ask, “Does reputation in cyber security matter?”, and  “If so, why?” 

While the C-suite and boards are aware that reputation loss poses a great threat to business, it is not always on the forefront of cyber risk management efforts from the perspective of the technical team.

In this blog,  we define reputational risk, how it is related to cyber risk management efforts, and most importantly – why managing reputational risk matters in the digital era [space].

Understanding Reputational Risk

To be able to understand reputational risk, let’s take a look at the definition.

Reputational risk can be defined as a potential threat or a danger to the good name or standing of a business. 

These threats could pose a damage to the company’s reputation and eventually affect its revenue. Companies with positive reputations draw in more customers, because they are viewed as having greater value. As a result, their clients are more loyal and often buy more products and services.

The greatest risk associated with reputational risk is unpredictability. It can literally come from anywhere, and oftentimes without warning. In cases like these, reputational damage can be devastating to an organization depending on the severity.

“It takes many good deeds to build a good reputation, and only one bad one to lose it.”

—Benjamin Franklin
Image by Three-shots from Pixabay

The Relation to Business Lost

Reputational risk can pose a danger to the survival of the largest and best-run businesses by wiping out millions or billions of dollars in market capitalization or future profits.

IBM’s recent Cost of a Data Breach Report 2020 [1] addresses the Lost Business cost in a data breach, which is closely related to a reputational loss. According to the this study [1], activities associated with the Lost Business in a data breach mainly incurs the: 

  • Cost of lost customers and acquiring new customers 
  • Reputation losses and diminished goodwill 

Compared to other costs, such as Detection and Escalation, Notification, Ex-post Responde, lost business became the largest contributing cost factor, accounting for nearly 40% of the average total cost of a data breach in the 2020 report. 

The Intertwined Relationship between Cyber Risk, Reputation and Data Breaches

Cyber risk is any risk from the digital world, including damage to the reputation of a company such as: financial loss, operational disruption, data breaches, and a negative event affecting the information system. The cyber risk could emerge in a variety of ways, including:

  • Breaches to gain unauthorized access to information systems
  •  Unintentional or accidental breaches of security
  • IT risks due to factors such as poor configuration or poor integrity

While the root-cause of a cyber breach is another story and deserves a separate blog, the resulting reputational damage is undeniable, with a high volume of lost business in many cases.

Take the Target data breach in 2013, which occured due to a third-party vendor. The breach window was from November 27 to December 15, 2013 and eventually exposed personal data of 110 million customers. 

Target officials discovered the breach within 16 days, and disclosed the news to the public 20 days after discovery. Many blamed Target for the time it took to reveal the incident to the public.

Buzz Rating Source: BrandIndex
Buzz score asks respondents, “If you’ve heard anything about the brand in the last two weeks, through advertising, news or word of mouth, was it positive or negative?” Scores are net scores, calculated by subtracting the percentage of negative responses from the percentage of positive responses for each brand.

After the breach became public, many customers canceled their REDcards and stopped shopping at the retail corporation. As seen in the BrandIndex chart above, the customer perception took a 54.6 percent dip the year following the data breach [2].

Target’s breach was one of the biggest data breaches at the time, igniting a conversation about POS protection, customer data security and many other issues often overlooked in the past. Five months after the breach, Target published a list of security [3] measures that included enhanced monitoring and logging, implementation of segmentation, reviewing and limiting vendor access and enhanced security of accounts.

Although Target managed to raise their unfavorable reputation, their 2019 buzz rating is still 18% percent below their 2013 rating.

Reputational Risk as Part of Risk Management

The Target breach is a handy use-case to demonstrate the aftermath of a data breach and how it can affect reputation. It also shows how organizations can fail in managing reputational risk by merely responding to cyber events and hardening breached assets.

Image by Stefan Keller from Pixabay

Organizations should take a proactive approach in managing reputational risk just like they do in [enterprise] risk management. As part of risk management and even cyber risk management, reputational risk can be quantified and regulated adequately by a company.  Such a methodology can help managers better identify current and future risks to the reputations of their businesses, and determine whether to accept a given risk or take steps to avoid or mitigate it.

The  Role of SRS in Reputational Risk

In today’s economies,  70% to 80% of the market value comes from intangible assets such as brand equity, intellectual property and goodwill, [4]. This ratio makes businesses vulnerable to anything that can damage their reputation.

With this in mind, NormShield takes a proactive approach with the notion of reputational risk in cyberspace. Leveraging various cyber intelligence sources and having a dedicated main category named “Reputational Risk”, NormShield continuously monitors a company’s digital reputation using the following categories:

  • Brand Monitoring

where  a business analytics process  is carried by monitoring various channels on the web or other media to gain insight about the company, brand, and anything explicitly connected to the company in cyberspace.

  • IP Reputation

where IPs or domains are searched  for being in blacklists   or possible use for sophisticated APT attacks

  • Fraudulent Apps

where possible fraudulent or pirate mobile or desktop apps on Google Play, App Store and pirate app stores are searched for potential use in hacking or phishing  employee or customer data

  • Fraudulent Domains 

where fraudulent or scam domain names are searched in cyberspace. Domain name scams are types of Intellectual property scams or confidence scams in which unscrupulous domain name registrars attempt to generate revenue by tricking businesses into buying, selling, listing or converting a domain name. Fraudulent or scam domains are frequently used by phishing attacks targeting either a company’s employees or customers.

  • Web Ranking

where the web site of a company is ranked according to popularity, back-links, references, etc.

For each of the above categories NormShield assigns a letter grade as well as a grade on a 0-to-100 scale, giving out a measurable indicator of a reputational risk. With NormShield continuous monitoring, a company can monitor its trending Reputational Risk based on its internet-facing assets, so that risk managers can take proactive actions on their brand reputation.

Learn more about the NormShield platform and grading!

References

[1]Cost of a Data Breach 2020, https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/
[2] https://www.varonis.com/blog/company-reputation-after-a-data-breach/
[3] https://corporate.target.com/article/2014/04/updates-on-target-s-security-and-technology-enhanc
[4] https://hbr.org/2007/02/reputation-and-its-risks

Featured image by Morning Brew on Unsplash