Cybercrime and Corporate Reputation: Business and Public Perspectives

Cybercrime is a growing and evolving threat for businesses – illustrated by recent attacks on Yahoo, Talk Talk, and the US Democratic Party, to name just a few. More worryingly, across different industries it takes an average of 100 days for companies to detect a potential breach and sometimes a threat will not be identified at all, according to Gordon Morrison of Tech UK.

New research by Ipsos shows that:

• Corporate communicators now rate cyber security breaches as the #1 threat to a company’s reputation, equal top with poor quality products and services (listed by 42% of those surveyed). By comparison, the third ranked risk in the study - malpractice by a company’s own staff - was chosen by only 27%. 
• MPs and business & finance journalists express similar concerns, with broadly similar ratings. “It is something that can affect a company overnight (…) if you have a cyber security breach, your reputation can be in tatters the next day” (MP)
• At the same time, a majority of MPs (53%) and business & finance journalists (55%) indicate that, while cybercrime is a pressing issue, they think that companies’ senior management does not have a good understanding of the risks posed by it.
• Among the public, a majority of 67% is concerned that cybercrime could affect their bank account, and only 47% says they trust most large companies to keep their customers’ data secure.

How can companies mitigate the reputational and commercial threat of cybercrime? Based on the research, as well as a panel discussion with policy and technical experts on 18 October, Ipsos’s Reputation Centre distils 5 key actions:

1. Prevention: companies should invest more time and money in preventing cyber security breaches, while the government should take up a stronger supporting role and help with guidelines or education. 
2. Pro-activity: cyber security should be pushed up the agenda, and companies need to map the risks more pro-actively, for example through having more early warning systems.
3. More coordination: close ties between the comms, security, legal, IT, and other relevant internal teams are needed to effectively mitigate the threat – many senior managers still see this as something that “sits with IT”.
4. Education: especially of employees and customers and their role in prevention, as hacks often start here – e.g. with someone clicking on a phishing email link.
5. Transparency and collaboration: more openness and knowledge sharing between companies, and between companies and the government, to increase the collective ability to deal with attacks, as well as keeping stakeholders and customers informed about risks.

That this is needed was emphasised by Member of Parliament Chi Onwurah during the panel discussion: “While we see that cybercrime is top of the list of what corporates and governments are paying attention to, I don’t see that is translated meaningfully into action.”