As cyber-attacks proliferate across the world, we find out how brands big and small plan to protect their customers’ data – and the measures they have in place should the worst happen.
As chief executive officer of Marriott International, Arne Sorenson’s days are spent traveling between various luxury destinations promoting the hotel chain’s corporate social responsibility programs. Late last year however, Sorenson was the face of a less sunny announcement for the brand – a major cyber-attack. “We deeply regret this incident happened,” Sorenson said in a statement. “We fell short of what our guests deserve and what we expect of ourselves.”
It is now believed that 383 million guests have been affected by the breach (revised down from initial reports of 500 million), with valuable data such as passport numbers, credit card details and the particulars of guests’ reservations and stays compromised, along with biographical data such as names, dates of birth, addresses, phone numbers and email addresses. While investigations are still ongoing, Marriott faces multiple lawsuits from 176 plaintiffs from all 50 states of the US.
In recent years, cybersecurity breaches have emerged as an unwelcome return guest for businesses and brands. According to UK business insurer Hiscox, a third of small businesses have now experienced some kind of cyber-attack, and businesses are now 40% more likely to be the victim of an attack than a break-in.
The next biggest breach in history, in which the data of 143 million consumers (or 44% of Americans) was stolen, knocked 34% off the share price of credit rating agency Equifax in 2017. Worse, for a company that makes its business validating the reputations of others, was the damage to Equifax’s image. According to Ronn Torossian, a crisis management expert and the chief executive officer of 5WPR, Equifax has “a long way to go” before it can repair its standing in the eyes of consumers.
“Brand equity is decimated when consumers view their privacy as being violated,” he says. “It’s not just a problem from a security perspective; frankly, it’s also a problem from a trust perspective. Do I trust this brand with my information? Do I trust this brand? Does it give a damn about me?”
The risks go beyond a loss of brand equity. Stephen Ridley, lead cyber underwriter at Hiscox, says the financial costs of a cyber-attack are large enough to cripple small and medium-sized businesses. “We’ve seen customers lose significant contracts as a result of a cyber-incident. Particularly for a smaller business, if they have one large customer and if that contract were to be terminated, it could mean curtains for them.”
Despite the severe impact a cyber-attack can have on brands and businesses, and despite the increasing frequency of such events, awareness is still low. Stephen Cox, chief security architect at SecureAuth, says that while smaller businesses and brands are “behind the curve… or don’t have the resources to devote to security”, the message hasn’t reached the C-suite either.
“Communicating the risk of a security breach to a board or management is a challenge,” he says. “There’s almost a language barrier.”
Meanwhile, the data collection that fuels modern marketing operations may be increasing the probability of a brand being attacked. According to Rob Norris, Fujitsu’s director of enterprise and cybersecurity for Europe, Middle East, India and Africa, it’s key for organizations to understand the data they’re collating and then protect it. “Obviously, the more information organizations collate then the higher the risk,” he says.
Cox agrees. “It definitely puts them at higher risk. There’s a mantra I really like: if you can’t protect it, don’t collect it. If you are hosting sensitive information then you are a target.”
Darren Thomson, cybersecurity software supplier Symantec’s chief technology officer and vice-president for the EMEA region, says cyber breaches are usually the result of poor practices by human staff. “Good cyber defense is about people, process and technology, but staff are often the weakest link. Their security skills tend to be pretty poor and we still see phishing attacks coming from people opening attachments in emails from accounts they don’t recognize.
“We’ve tried for years to educate people on this; it doesn’t seem to be having an impact.”
To improve the skills and awareness of the next generation of engineers, software architects and marketers, Fujitsu is leading a training program at a number of university training colleges in England.
The tech firm now provides training, expertise and teaching materials to four cyber-colleges, as well as allowing students to gain hands-on work experience at local Fujitsu sites. Norris says the partnership could change the way the tech firm recruits new blood. “Traditionally, Fujitsu has focused on universities to bring on board trainees, but these kids are just as bright and just as skilled as anyone coming out of university,” says Norris. “There is talent here that we hadn’t looked at in the past.”
Meanwhile, Hiscox launched a campaign this year that attempted to visualize the impact of a cyber-attack. Created by AMV BBDO, ‘The Hack’ saw one business – a high street branch of Brompton Bicycle, one of Hiscox’s partners – assailed by mysterious events that simulated the effects of a cyber-attack.
These included a lookalike store opening across the road, doppelganger employees who intercepted the ‘real’ shop’s deliveries, a rush of customers who overwhelmed Brompton’s actual staff with pointless requests before vanishing without purchasing anything, and workmen who assembled street hoardings around the store bearing the legend: ‘Oops! Business is locked. Please pay to access your data. You have 24 hours.’
“It can be really difficult to comprehend what it actually looks like, and how paralyzing it can be when it happens,” says Olivia Hendrick, marketing director at Hiscox. “Our ambition was to bring it to life in a really simple way, taking cyber from the virtual world into the physical world.”
While Hiscox and Fujitsu’s projects are focused on preventing cyber-attacks through greater awareness and education, there’s still little relief for brands caught out in a crisis. Transparency is the prescription from Jonathan Hemus, managing director of reputation management consultancy Insignia, who says brands should consider wargaming worst-case scenarios with key staff to ensure readiness.
“Having those discussions beforehand, and then having an in-principle response in place, provides the foundations for a successful response in practice,” he says.
Going forward, says 5WPR’s Torossian, affected brands need to be as open as possible with their customers. “They have to admit responsibility. They have to own up to any mistakes that were made. And they have to say, ‘Here’s what we’re doing to improve it’. From a PR perspective, apologies really matter. Make a mistake, own up to it, say how you’re going to improve.”
This feature first appeared in the cyberwarfare issue of The Drum magazine. In it, we take a look at the role of our industry in a world where humdrum technology and everyday communication have become weaponised, from our smart homes being hacked and our fridges held to ransom to fake news and deepfakes having far-reaching ramifications for global politics. You can buy your copy here.