From Equifax to Debenhams Flowers, the roll call of breached UK firms shows no sign of abating. New research conducted by Ponemon Institute and commissioned by Centrify may hold one of the clues as to why: a huge disconnect between the priorities of IT and marketing teams and their customers.
73% of customers think organisations have an obligation to control access to their information, but less than half of IT and marketing teams feel the same. There are some major organisational blind spots which pose a real threat to the safety of customer data and the reputation of brands. Only 3% of IT pros are concerned about falling share prices following a breach, despite the research revealing an average drop of 5% which could wipe millions of their value and put employees’ livelihoods at risk.
UK chief marketing officers (CMOs) admit that the biggest cost of a security incident is the loss of brand value with the potential impact of a data breach more damaging to a company’s reputation than the likes of a product recall, an environmental incident or even a scandal involving the CEO.
>See also: The data security landscape of 2027
So, while the prospect of a serious data breach is causing senior marketers sleepless nights, there appears to be a disconnect between the priorities of the IT department and the marketing teams. When brand value has never been more important it seems that CMOs and CISOs are not conversing enough about the issues.
According to the Ponemon study, IT and Marketing can’t seem to agree about where the responsibility lies and how to respond. 43% of IT practitioners recognise that a cybersecurity incident could impact the company’s brand value yet 71% don’t see brand protection as their responsibility. Unsurprisingly approximately two-thirds (65%) of senior marketers believe the IT department should take responsibility.
IT practitioners are the poor relations when it comes to budget allocation for brand protection with less than one in five of them allocating a portion of their IT security budget to brand preservation – and just 18% collaborating with other departments.
The marketing department places much more emphasis in the area with 42% of saying a portion of their marketing communications budget is allocated to brand preservation, and 60% that their department collaborates with other functions in maintaining brand value.
Evidently IT and marketing are operating in isolation with no clear lines of communication and they need to reconsider their siloed priorities and adopt a strategy that focuses on the bigger picture: protecting customer data and brand reputation through better security using a language that everyone understands and agrees to.
One area of common ground between the two areas is that they both agree that senior-level executives don’t take brand protection seriously. Perhaps more significant is that 70% of IT professionals do not believe their companies have a high level of ability to prevent breaches, although most CMOs (58%) are confident in their company’s resilience to weather a breach.
Customer expectations in safeguarding personal information
With the General Data Protection Regulation (GDPR) on the horizon, the storage and security of customers’ information is a priority for any organisation holding data on individuals residing in Europe.
Understanding their obligations as a business under this new regulation should be of the utmost importance to IT professionals and marketers alike.
Centrify’s research indicated that customers’ expectations around the security of the personal information they share with companies surpassed the CMOs and IT professionals’ sense of responsibility.
Just 64% of CMOs and 66 of IT practitioners agreed that organisations have an obligation to take reasonable steps to secure their personal information compared with more than three-quarters of UK consumers (79%).
More worrying is how intertwined brand, reputation and customer loyalty (and loss) are yet those people responsible for protecting a customer’s personal information do not accept and admit those responsibilities. So, what can be done? There are some fundamental steps that organisations can take to improve security and strengthen their defences against breaches:
Beyond a certain size employing a CISO is a must. He or she can take responsibility for improving the lines of communication across the business when it comes to security and must have an established track record of moving organisations from an immature to a strong security posture and bring real experience to achieving best practice.
Provisions should be made to invest in skilled staff and up-to-date security-enabling technologies particularly enterprise-wide encryption.
Data breach response plan
Should the worse happen ensure that you have a threat response plan that is ready to be executed. Pre-assigning roles and responsibilities that include people from right across the organisation is the ideal way to move away from a siloed approach and drive a culture of security and ownership.
Training and awareness programs
Implementing training and education programmes help employees to understand the risks posed by cyber-attacks as well as helping to reduce employee negligence.
Regular security vulnerability audits
Establishing a schedule of regular assessments ensures that any security holes (vulnerabilities) in an organisation’s infrastructure are identified and so that adequate measures are taken to guard against it happening again in the future.
Manage third-party risk
Having a comprehensive program with policies and assessment to managing third-party risk and an identity and access management (IAM) system is a good start point. Categorising who has access to what data and when as well as controlling who sees what and that there is an audit to accompany it is essential.
>See also: The data protection breakthrough
Participation in threat sharing programs
Being involved with threat sharing programmes with partners and companies you trust often provides a much-improved way of detection particularly as similar organisations can often be targeted by the same threat as well as preventing you from carrying out the work already done by someone else.
In a world where the chances of an organisation suffering a data breach is more a case of when, not if, it’s time for organisations to move away from operating in silos and close the gap between different business functions, encourage teams to communicate as well as ensure that senior-level executives are actively engaged and be prepared for the eventual security breach.
Sourced by By Andy Heather, VP and General Manager, Centrify EMEA