Security Breaches: Will They Devastate Your Brand?
News stories featuring cyber attacks are becoming more common every year. They can be devastating for brands, not just in the losses caused by the attack itself, but in the damage to long-term reputation, and the impact this has on future sales.
Here, we’ll look at some examples of security breaches and their ramifications.
On March 9th, 2021, Verkada acknowledged a potential security incident involving unauthorized access to some of its products. They said they were implementing additional security measures as they investigated, out of an abundance of caution. However, the next day it was clear there had been a serious security breach.
Verkada later released the full incident report, but in short, hackers had gained access via a server used to perform maintenance operations on customer cameras. Once inside the network, they had obtained video and image data from cameras, a list of client account administrators, including names and email addresses, and a list of Verkada sales orders, including customer license information.
On March 12th, CEO Filip Kaliszan released a statement accepting Verkada’s failings in the incident and apologizing to customers. He announced a plan to remedy the situation, bolster security, and reassure customers. As well as focusing the efforts of Verkada’s own engineers, this involved hiring third-party experts and hosting weekly webinars to address customer concerns.
More updates followed over the next two months and, whilst the customer webinars have now been halted, work to remedy the faults found by the investigation is ongoing.
We don’t yet know the full monetary cost of this remedial work, but there’s no doubt the damage to brand trust will be far greater.
The attack has been reported by news outlets across the world and whilst Verkada’s statement may say that just 2% of its customers were affected, the figure that people will remember is the 150,000 cameras that were accessible by unauthorized users due to security flaws. And the fact that hospitals, police stations, and prisons were said to have been breached, along with major firms such as Tesla and Cloudflare.
You might think that people will only have seen the news story if they are involved in this industry. Sure, but what if you’re a consumer looking for a new security camera solution? You’ll do some research, and find a few companies that provide this. Verkada may well be one of them. You’ll then look further into these companies. And what happens when you google Verkada? You’ll find all the news stories about this security breach. You’ve probably never heard of the company before, and this is the first impression you get – not great is it? It doesn’t matter what Verkada has done since to rectify the problem, the damage is already done. If a company with a similar offering doesn’t have a major security breach on its CV you’re much more likely to engage with them.
Go back a few years and we find one of the biggest data security breaches of all time. In December 2013, Target, one of the largest retailers in the US, was hit by hackers. The point of entry was found to be via stealing the credentials of Target’s HVAC contractor, and then using these to access Target’s vendor system where they could find and exploit vulnerabilities. As a result, 40 million credit and debit card numbers and 70 million personal information records were stolen.
Now, Target is still a successful business, so it can’t have been that bad, right?
Both the IT director and CEO lost their jobs, and the company’s net income dropped 46% in the fourth quarter of 2013. In the immediate aftermath, they faced a $61 million bill which included compensating credit card companies, lawsuits, government investigations, and enforcement proceedings. Gartner estimated the full cost of the breach at over $400 million.
According to BrandIndex, Target’s consumer perception dipped by 54.6% in the year after the breach. It has steadily recovered since, but this will no doubt have something to do with its long standing brand reputation. Given the size of the company, they have also been able to absorb the losses incurred. Smaller, newer brands will inevitably find it much tougher to recover from security breaches, both in terms of finances and reputation.
The ridesharing firm suffered a data breach in October 2016 that affected 57 million customers and drivers. But Uber didn’t disclose this until a year later as they had paid the hackers a $100,000 ransom to keep it quiet.
When security breach costs can run into the tens or hundreds of millions, this might seem like good business sense, but the thing about secrets is that someone finds out eventually. And when they do, it usually makes matters much worse. It’s bad enough to have a breach in the first place, but to then cover it up risks diminishing all consumer trust, as well as inviting legal action from various bodies.
Uber’s consumer perception fell 141% after disclosing the breach according to BrandIndex. And they didn’t have a 100-year history to fall back on like Target as they’d only been operating for a decade. With new competitors entering the market, it was a particularly bad time for Uber to suffer such a fall in trust and undoubtedly hindered growth over the next few years.
What can IoT companies learn?
Firstly, it’s clear that data security is important to consumers, and any failings will cause them to lose trust quickly. We don’t yet know the full impact of the Verkada breach on consumer reputation, but similar cases tell us it will be significantly damaging.
If your brand is already well-established, you may be able to recover that trust. But it will take time. And the total costs of resolving breaches and associated fines will run into millions of dollars, so you need to be able to absorb the financial damage too.
If you don’t have a long history to fall back on as is the case with many start-up companies in the IoT sector, then the brand damage could be irreparable. It takes a lot for consumers to put their trust (and money) in a new brand with a squeaky clean record. Winning business from bigger companies with longer track records is incredibly difficult if you have a big black mark against your name.
If you do suffer a breach, never ever pay off the hackers, and be sure to disclose it immediately. You can’t turn back time to prevent it from happening, but you can minimize the damage and give yourself a fighting chance of recovery. In order to rebuild trust, it’s important to acknowledge what failed and show that action has been taken to prevent any recurrence in the future.
But, of course, prevention is always better than cure. As the IoT market grows exponentially, connected devices will become the favored targets for hackers as many are lacking in full security features. Deploying a proactive IoT security solution will ensure your products meet the highest security standards, protect your reputation, and set your company apart from others. Investment in IoT device security isn’t optional, it’s a necessity for staying in business and growing your brand.