There are a lot of Cyber professionals out there try to calculate what the true cost of a Cyber attack is to a company. Typically, this includes downtime as well as the time that it takes to recover back to your mission critical processes.
Most of these variables can be quantified, so in a way, they
can be rather easy to calculate (in a loose sense of way). But then, there is
also the other side of this, which are the indirect costs after you have been
hit.
Typically, nobody really thinks about this, as all efforts
are trying to prevent from going out of business. But they are real, and they need to be taken
into consideration just as much as the direct costs.
So, you may be asking what is an indirect costs? Well, these are the ones that are harder to
get solid numbers for and are therefore much more qualitative in nature. These costs include what it takes to notify
key stakeholders, the chances of you being named in a lawsuit down the road,
the probability of being audited by the regulators from either the GDPR or the
CCPA, but most importantly, this involves the costs of losing a customer, and
trying to win them back again.
This all comes down to what is known as brand loss, or
damages to your brand image.
This is true in no matter what industry that you might be
in. If something happens to your
business, customers will pretty much swarm and go to your competition. It can take months to get a new customer, but
just a few seconds to lose them. And unfortunately
in the world of Cybersecurity, once you have been hit, the chances of getting
your old customers back is very slim.
It’s not that you don’t have a great product or service, but
your customers have entrusted you with the safe handling of their PII
datasets. Now that trust has been
violated, so it will be very difficult to rebuild, if at best. It’s sort of like dating. If you or your partner have violated the
trust amongst one another, it will be very difficult to build back up again,
and thus you may want to start to find somebody else to date.
But all is not lost, and there are ways to try to win back
your old customers in case you have been hit with a security breach. So here are some remedies that you can try:
*Always be honest:
After you have been impacted, one of the best ways that you
can keep your reputation is to simply be upfront and honest about it. In other words, being transparent will rule
in the end. So for example, the moment
you are hit, your PR firm (if you have one) should start making plans as to how
they will contact key stakeholders, especially your customers. They should be notified as quicky as
possible, with no delay. All modes of
communication should be made in this regard, which includes phone, Email, Snail
Mail, and yes, even Social Media. But
you have to also walk a fine line here, as you do not want to give out too much
information and detail, especially as the case will be ongoing. Let your customers know that they come first,
and that you are working hard to protect their PII datasets. Also let them know that you will be offering
services that will help them to reclaim their identity in case they truly have
become a victim. Yes, it may
embarrassing at first admitting to the public that you have been impacted but
being honest and transparent from the very beginning will pay huge dividends
for your business in the end.
*Be proactive:
You always want to be proactive after a security breach, but
this will be made a lot easier if you have that proactive mindset from the very
beginning. In other words, you want to
have that Incident Response/Disaster Recovery/Business Continuity firmly in
place, and well-rehearsed on a regular basis.
That way, if something were to happen, responding to a security breach
will just be like a second nature to you and your IT Security team. By showing this sense of urgency, your
customers and even the suppliers that you rely upon will see that you are on
top of you’re A game. Although you have
may been impacted, showing this sense of proactiveness will also a long way as
well in terms of keeping your customers.
*Use what is known:
By this, I mean try to follow a certain kind of Framework
when you craft out those plans just described in the last section. There are many of these that are available
online, and a majority of them come from NIST. A Google search can show you how
to download these particular Frameworks, and how to make use of them. True, these document sets are not the end all
or the be all when it comes to fortifying the lines of defenses at your
company, but it will for sure be a good place to start with. And also, there is yet another bonus to
this: If you advertise to your customers
that you are following a set of best practices and standards that is supported
by the Federal Government, this will also help your brand image in the long run
as well. You may even want to hire a dedicated professional to run this task
for you. For example, you can hire many
of them on a contract basis, for a fixed fee which is very affordable. These individuals are now known as “vDPOs”,
or “Virtual Data Privacy Officers”.
My Thoughts On This:
Yes, being hit by a security breach is no fun task, and
losing customers is even worst yet. So,
from the standpoint of sales, you always need to keep your pipeline filled with
prospects on a continual basis, to the best that you can. In the end, if you are faithful and honest to
your customers, and build a business model of providing great customer service,
your most loyal customers will stick with you, through both thick and thin.
No comments:
Post a Comment