(FBI photo)

PERSPECTIVE: Security and the Management of Reputation Risk

Building a company’s reputation may take years, but it can be irreparably tarnished with a few unfortunate headlines after a security event. Reputational risk is regarded as the greatest threat to a company’s market value and standing in the community. Effectively assessing and managing this risk are key to continued viability and success. Safeguarding corporate reputation requires continuous effort and focus, but a company’s response during the aftermath of a physical or cyber attack can significantly impact the event’s severity and, ultimately, the company’s future.

Developing and maintaining a solid reputation is important for all organizations, especially those offering critical infrastructure services. Corporate boards of directors are now, rightly so, consumed with concern over security issues. With security being top of mind and a major topic for political conversation, it is no surprise that protecting a company’s reputation after an attack is of the utmost importance. Executives have seen the considerable media magnification after an event and how the impact has disrupted business operations, market value, and good standing in the community.

The reputation of an organization is built over time and determined, in large part, by how well several core commitments are met. These commitments include reliable and safe products or services, value to the consumer, a positive customer experience, and exceeding the financial (cost and revenue) expectations of a variety of stakeholders. Intertwined within these four core expectations is protecting the confidentiality and security of personal data and providing a safe and secure experience for both employees and customers. With growing concern over the frequent news of cyber breaches and data exfiltration, the public’s tolerance for cybersecurity inattention is waning fast.

It’s no longer a case of if your company is going to be exposed to a cyber attack and data breach, but rather when it’s going to happen. 2018 will set new records on the number of companies compromised and, as the recent crisis at Equifax has proven, failure to effectively manage the crisis can be devastating to your company’s reputation. Effective risk management plans must be proactively implemented to address these critical risks for companies of all sizes. It is clear that technology is evolving at a pace that is hard for companies to surpass or even match and, in the case of cyber risk, it is a matter of technology advancements outpacing the security protections companies have in place.

Today, stakeholder perceptions around emerging strategic factors, such as physical and cybersecurity, are increasingly impacting a utility’s reputation. We know that when negative perceptions of a company arise, they can lead to a decline in the company’s reputation, which can then lead to a loss of support and value. Recent data breaches affecting major retailers, financial institutions, and other high-profile companies vividly illustrate that organizations of all types face risks that can suddenly propel them into global headlines, creating complex enterprise-wide events that threaten reputation and brand.

Some risks can be managed and mitigated more than others, and management teams should gather prior to a crisis to discuss and think through potential issues and events while under no duress. Once an organization has identified the risks it should be managing, it can then start working to try to prevent them from happening. This is done most effectively by collaborating across functions with all impacted stakeholder owners involved in the process. Specifically, the management team should establish a formal framework to:

  • Identify events that can hurt the company’s reputation
  • Analyze events based on their likelihood of occurrence and predict their impact on reputation
  • Analyze the organization’s readiness to prevent the threat and minimize their impact
  • Prioritize risks for importance
  • Mitigate risks in order of importance and enhance organizational readiness
  • Monitor risks

While deploying the risk mitigation steps described above can significantly reduce reputational risk, there is no solution that fully eliminates the risk associated with a cyber or physical security event. However, there are crisis management tools and skills such as formal response plans and timely public outreach that can be put in place to effectively mitigate reputational harm once a crisis has occurred.

Whether you embrace it or hate it, social media platforms are here to stay and can quickly hurt a company’s reputation if not managed appropriately during a security event. When a crisis hits, the demand for information increases and conversations speed up. If you are not responding on social media, you will quickly become irrelevant amidst the rising tide of public reaction. To remain relevant and play an influential role in the public conversation during a crisis that impacts your company, you will need to be engaged on social media in addition to more traditional communication platforms. As a company scrambles to keep up with emerging social platforms and trends, they must also look for ways to confirm that their message and brand are consistent and accurate across all media outlets.

Traditionally, a utility’s reputation is judged based on a few public interactions. However, when a security crisis materializes today, reputation can be impacted by:

  • Response Time. When a crisis strikes in the digital age, it moves with dizzying speed. Response paralysis and opacity could leave time for a dangerous and costly information vacuum to form. For example, Equifax was slow to reveal the data breach and sat on the ticking time bomb of a potential risk to members of the general public before revealing the problem about a month after the incident – the company should have been more transparent and open in revealing the issue.
  • An executive team that leans forward during crisis. Within an organization, there should be designated individuals who are the only ones authorized to speak for the company in times of crisis. The CEO should be one of those spokespersons, but not necessarily the primary spokesperson. The fact is that some chief executives are brilliant business people but not very effective in-person communicators. The decision about who should speak can be made after a crisis breaks, but the pool of potential spokespersons should be identified and trained in advance. Engaging the media can be a frightening thought, but pre-developed statements for use immediately after a crisis breaks can present significant time savings and allow you to craft level-headed thoughts prior to a crisis.
  • Mitigating Fear, Uncertainty, and Doubt (FUD). A major aspect to any post-crisis management strategy is to reduce fear, uncertainty, and doubt and to accurately set the record straight. Rumors, half-truths, and blatant lies can be eliminated with accurate insight and timeliness. After a security event, it is important to provide a high-level report of what happened, what is currently being done to mitigate the threat, and what the public can expect over the next few days, weeks, and months. This should be articulated in a calm and fact-based manner.
  • Recognizing the value of intangibles. Risks to reputation are more difficult to manage than traditional enterprise risks because we are talking about perceptions. Displaying confidence and taking responsibility are intangible actions that the public responds to and leads to good or bad public perception. Projecting calmness, transparency, and ownership to a physical or cybersecurity crisis will maintain trust with the public and allow you to better weather the storm.

The tactics described above are critical to enhancing a company’s ability to protect its reputation. While a company’s reputation may take years to build, it certainly can be damaged or even destroyed very quickly. Boards of directors and senior management are responsible for measuring and monitoring reputational risk and therefore must remain vigilant and active in providing the safeguards to prevent loss of reputation, especially as it relates to physical and cyber security events. As companies battle product and service issues, aging infrastructure, compliance, and safety in the midst of rapidly evolving technology and social media platforms, security must be part of the dialogue and the business continuity conversation going forward.

The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email HSTodayMag@GTSCoalition.com. Our editorial guidelines can be found here

Brian Harrell, CPP, is the Managing Director, Enterprise Protective Services at Duke Energy. He is the former Operations Director of the Electricity ISAC and Director of Critical Infrastructure Protection Programs at the North American Electric Reliability Corporation (NERC) where he was charged with helping protect North America's electric grid from physical and cyber-attack. Brian has spent time during his career in the US Marine Corps, US Department of Homeland Security, and various private sector agencies with the goal of protecting the United States from security threats. Harrell is also a Senior Fellow at The George Washington University Center for Cyber & Homeland Security (CCHS) where he provides insight and analysis on homeland security, counterterrorism, and cybersecurity issues.

Leave a Reply

Latest from Cybersecurity

Go to Top
Malcare WordPress Security