– Debbie Laskey, MBA
Is your industry crowded? Does one brand overshadow the rest of the players in your industry? How can your business stand out? Here are five tips every business can learn about branding from recent data breaches.
With countless stories centering on the recent Sony and Anthem data breaches in the mainstream media, the time has long since passed for businesses to become proactive with their risk management planning. However, many businesses continue to operate with their heads in the sand.
Today, after reading this article, you will learn:
* Invaluable insights from some security/privacy industry experts
* Five useful lessons that you can apply to your business
* The website that announces data breaches the moment they happen (and not Krebs on Security)
According to Wikipedia, “A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property.”
According to Robert Siciliano (@RobertSiciliano on Twitter), online safety expert for Intel Security and personal security/identity theft expert, “These days, the consensus is that when a company is breached, it’s their fault. While the company certainly needs to accept a portion of the blame, it’s often dragged through the mud by the media. While it’s important for companies to respond to a breach as quickly as possible, they must lock down their networks before they inform the public. Locking down is essential so that they don’t inform the public and then more data is exposed making them look like they don’t have control. They also need to express to the public and the media that they are victims of crime – I don’t see this often enough. It’s also important that companies inform the public as to what steps need to be taken in regard to the type of data that has been breached. Too often, I see companies responding with a blanket approach to security that involves way more fixes than is necessary, and this just leads to confusion by the public.”
According to Rebecca Herold (@PrivacyProf on Twitter), information security/privacy/compliance expert, shared some insights from a recent course she taught about geo-location privacy to a large group of surveying and mapping professionals. “They were all interested not only for their own use in their professional activities, but also from their own personal perspectives and experiences. One class member who was in the midst of recovering from identity theft raised his hand, “That store has cost me over a thousand dollars so far to reclaim my identity…and it was their mess! Why are all these businesses allowed to ruin the lives of others without any penalty?” Another class member replied, “Stop using that business! I’ve stopped using every business that has a breach.” This microcosm is a pretty accurate reflection of the growing attitude of the general public; and it’s supported by a recent Forrester report stating that, according to their research, strong privacy protections will become a major competitive differentiator starting in 2015. Businesses need to establish or beef up their privacy programs, and information security protections, if they want to keep their clients, customers, and patients.”
According to Allan Pratt (@Tips4Tech on Twitter), information security expert and technology instructor, “Without awareness, buy-in, and participation by all business units, companies will not engage all employees in the company-wide objective of practicing infosecurity. The IT department of the old days no longer means simply fixing computers and setting up networks. IT Departments actually touch all departments within a business, so techies must speak a language other than technology. If this happens, then all employees will learn and understand why security is important to them, how security relates to them, and how they will be affected when breaches happen. And once, all business units work as a team, the business, its data, and its employees are all better protected.”
Armed with this background about security breaches, here are five branding tips every business can learn and apply:
 Place yourself in the shoes of your customers
You, as your company’s CEO and leadership team, probably don’t want your data stolen. So, put yourself in your customers’ shoes – they aren’t happy about the news that their data has been compromised and may be sold on the black market. Use language that tells your customers you value them – and that you’re just as upset as they are about what has happened. Don’t let your business be perceived as if it is ignoring the data breach or the fact that customer data may be at risk.
 Be honest, transparent, and quick with your communications to customers
If something horrible happens with your customer data, be up-front with your customers. Distribute press releases, place messages from the President/CEO front and center on your website, present webinars or video messages from the President/CEO, etc. Don’t hide behind an anonymous Chief Information Officer, a faceless public relations agency, or even worse, a PR intern. Tell the story of what happened, once you know, and if someone from inside the company is at fault, take action and let the public know.
 Provide options
At a minimum, provide credit monitoring at no charge to your customers – all customers. This will be a small price to pay when you consider that if your customer data is sold on the black market, and lawsuits happen – and class action lawsuits may be even more likely, your company could go out of business. Remember that customers want to know they are valued – and when their data is compromised, they definitely don’t feel that way.
 Educate employees about the consequences if they break the law and steal confidential information (insider vs. external threats)
It may sound strange, but when strangers visit your office, they can easily fit in. If your company doesn’t have strict visitor policies (nametags, a guide to accompany them while walking around, etc.), then a stranger could easily walk off with a laptop (it’s been known to happen on too many occasions. And if the laptop has HR data or Finance Department data – that is not encrypted – well, your legal team better get ready for long days and nights. And, an even worse scenario is when the threat is internal: when employees are the actual criminals. Develop a policy with consequences and include it in your onboarding process and review on a regular basis.
 Develop a BYOD policy and enforce it
Look around your workplace. How many employees use their own smartphones or tablets for business-related projects? If they do, they are putting your confidential data at risk. This data may be on Word documents, Excel spreadsheets, or CRM systems. One wrong move, one malware attack, and voila, a hack can happen quicker than you can say BYOD. Develop a policy, include it in your onboarding process, and make sure that employees use password protection on their devices, regularly change their passwords, and only provide access to those employees that absolutely need it. Also, when employees leave or are terminated, make sure that you have BYOD in your off-boarding process. Consider this: How many employees leave with access still on their devices and with company confidential data still on their devices?
And now, for the promised website where you can learn about data breaches immediately when they happen. Bookmark this link. Once there, make sure to click “go” to refresh the page.
In conclusion, apply these tips and see the impact they can make on your brand – ideally, before you experience a data breach!