The brand battle CMOs must fight in the face of data breaches and cybersecurity attacks

Fresh cyber attacks and data breaches across Volkswagen, Audi, McDonalds and Electronic Arts highlight the growing cybersecurity and data threat. So what can marketing leaders do about preventing and reacting to these crises?


How marketers can help cope with a data breach

With every business facing the very real scenario of being breached, it’s clear brand leaders should be actively involved in a game plan for dealing with the fallout. The obvious area of focus for marketers is communications and customer management.  

As of 2018, Australia’s Notifiable Data Breaches (NDB) scheme requires an organisation with greater than $3 million in turnover that experiences a data breach likely to result in serious harm to any individuals whose personal information is involved, to notify the Office of the Australian Information Commissioner and any affected individuals. However, wording admittedly provides some wriggle room, particularly regarding what constitutes ‘serious harm’ and ‘likely to result’.

Outside of legal requirements, if a breach occurs, it’s imperative brands be open and honest about what happened and what next steps the business is taking to remedy the situation, Bassett said. “This will make the difference in the impact on consumer confidence,” he said.

Ram also highlighted the need to be transparent with breach notifications, alerting customers and relevant authorities quickly. “The best policy is transparency,” Knudsen agreed.

“Nobody likes being lied to, or even not getting the whole truth. When breaches or other bad things happen, customers will appreciate a prompt, honest communication about what happened and what the organisation is doing about it. Having a solid incident response plan can help with this.” 

One important learning from Check Point Incident Response team Ram pointed to is that most organisations don’t have a platform to enable efficient cross-company communication and collaboration between key stakeholders. Often, this means legal, PR teams and executives don’t have a platform to effectively communicate with the rest of the incident response team.  

“Most organisations also don’t do table-top exercises under the new normal conditions. It’s vital you test your incident response with scenarios where key stakeholders are unable to get into the same room and are forced to work remotely,” Ram said.  

Englert stressed the criticality of a unified communications approach internally and externally. “The key here is that there is unity in communications and activities —both predatory and response— across the organisation,” he said.  

“This is actually a place where marketing, rather than legal or IT, can help lead the organisation’s response and strengthen both its pre-breach and post-breach cybersecurity posture.”  

If you don’t get the internal and external communications right, “the whole thing can fall apart and you can be left with lumpy notifications based on really narrow agendas”, Englert warned.  

“One company we dealt with inadvertently set off a comms disaster by letting the sales team essentially do enterprise customer notification,” he recalled. “The result was that they triggered SLAs in some of their customers that mandated immediate public notification. Unfortunately, no one was ready for this and the comms that went out were based on incomplete forensic findings and an overall immature, unsophisticated understanding of what was acceptable in tech and wider business media.  

“Every piece of comms, including managing your customer service desk with an integrated plan and strict oversight, is important.”  

Whole-of-company collaboration  

Despite this, as Englert’s failed response example makes apparent, security breaches such as those suffered by McDonalds, Electronic Arts and Volkswagen are whole-of-organisation issues. For Knudsen, infusing every part of an organisation with security can only happen with commitment from the highest levels of management. He again saw this as an opportunity for marketing chiefs to lead.  

“A CMO, for example, can minimise the risk of future marketing-related software security incidents by mandating that security is part of every aspect of the organisation,” Knudsen said. “When security is accepted in the day-to-day work of everyone in the organisation, overall risk is reduced.”   

With security integral to every aspect of the business – including marketing – CMOs should also be ensuring security is part of planning any marketing project, from concept through execution, Knudsen said. “Whenever you collect customer data, or whenever you perform analyses, you must consider not only what you’re trying to accomplish but also the security ramifications,” he continued.  

“Where are you storing the data? Who has access? How can you make it more secure? In the end, risk can be lowered but never eliminated. Even if you do everything right, bad things might still happen. Consequently, having a good incident response plan in place is important.”   

Mimecast marketing director A/NZ, Daniel McDermott, recommended ensuring digital brand protection is part of your risk management framework and start partnering with your CISO today on mitigation strategies. 

“For too long ‘cyber’ has been off to the side and seen as the CISO or CIO’s problem. The CMO, as the ultimate brand custodian, has to step up and play an active role,” he said. “This means the CMO, CISO, communications and legal teams need to work in lockstep to ensure they’re all aware of each other’s roles in any incident, have trust in each other and open lines of communication across teams to ensure maximum protection and – when a breach does occur – minimise customer impact as well as brand damage and reputational fallout.”

Knudsen emphasised marketing teams, like other parts of an organisation, also use software to interact with customers, gather important data, store customer information and analyses, and perform every other part of marketing.   

“While powerful tools are readily available, security needs to be part of how marketing groups select, configure and use software,” he said. “One small example is sharing information with the rest of the marketing team. When you share a file, you want to make sure that co-workers can access the file and use its information. But security is just as important. Can you limit access to specific people? Would it be hard for an attacker to get the file?”    

Another potential issue Ram spotted was in cyber strategies not taking a holistic enough view that includes ensuring third parties accessing and processing customer data have the same level of security or higher than the data owner organisation.  

“It is essential organisations understand who is accessing their crown jewels and deploy appropriate security controls to ensure security best practice such as the principle of least privilege, where user and systems are given the minimum levels of access – or permissions – needed to perform these tasks,” Ram said. “A zero-trust approach to accessing and processing of data is vital to ensure organisations aren’t the low hanging fruit for cyber criminals.”  

Keeping perspective  

Yet even as we all work to build adequate plans to prepare for an attack from cyber security criminals, Englert said CMOs should keep some perspective on the fallout on customer and brand reputation. Sound brand fundamentals are vital here.  

“If you have a lot of good faith in the marketplace, you should be fine as long as you ensure your communications planning is firmly in place and integrated into your culture for what I would consider the inevitable, a breach or privacy data issue,” he said. “Never lie. More importantly, have complete organisational buy-in, from the board on down, to never lie, to disclose and to take a deep breath and respond evenly when that bad cyber day arrives. 

In some ways, there is a tendency to over-react on the part of the organisation and think customers will simply abandon you if you have a breach. This is not true. If you handle communications well, are transparent and put yourself in your customers and stakeholders’ shoes, you will usually find most people are actually incredibly understanding and not nearly so precious about their data.    

“This might sound sacrilegious with the rise of privacy regulations across every jurisdiction. But people generally understand it is really hard to defend 100 per cent against a breach and they can put their own personal data into perspective.”    

One example of this for Englert was a breach his team handled where over 200,000 records were affected. Fewer than 10 customer complaints were received.  

“The main things was customers knew we were being honest and looking after their best interests in a tough situation,” he said. “In that case, the NPS score actually improved only a month after the breach.    

It’s like the organisation is a human. When the chips are down, you get insights into the person’s true colours — the same applies here.”  

Don’t miss out on the wealth of insight and content provided by CMO A/NZ and sign up to our weekly CMO Digest newsletters and information services here. 

You can also follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page

 

 

 

 

 

 

 

 

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Latest Videos

Launch marketing council Episode 5: Retailer and supplier

In our fifth and final episode, we delve into the relationship between retailer and supplier and how it drives and influences launch marketing strategies and success. To do that, we’re joined by Campbell Davies, group general manager of Associated Retailers Limited, and Kristin Viccars, marketing director A/NZ, Apex Tool Group. Also featured are Five by Five Global managing director, Matt Lawton, and CMO’s Nadia Cameron.

More Videos

Great read. I agree that it should be a perfect balance between interacting with your customers and knowing your brand. As a business, yo...

Caroline Scott

7 ways CMOs can improve their customer engagement game

Read more

Very true. Team development helps improve collaboration among the team members. I was able to improve my team's collaboration skills by t...

Quent Sinder

Why empowering others can help make you a great leader

Read more

CRM is a very good software that can help you succeed in your business. In my company, this system has allowed me to improve customer rel...

Anna Janicka

Sensis rebrands to Thryv and brings business software to Australian SMBs

Read more

AI Leasing Assistants have finally arrived for the multifamily industry. With so many to choose from it can be hard to figure out which i...

Alice Labs Pte. Ltd.

CMO's top 8 martech stories for the week - 6 May 2021

Read more

Nowadays, when everything is being done online, it is good to know that someone is trying to make an improvement. As a company, you are o...

Marcus

10 lessons Telstra has learnt through its T22 transformation

Read more

Blog Posts

Why if marketing is all you do, you’ll never be very good at it

OK, so you’re probably thinking: “Here comes another article to badger me about living in my bubble.” And also, “I bet this bubble-bashing piece will go on to explain how I can achieve better results through some heady dose of new life experiences, new routines and annoyingly different opinions on social media.”

Dane Smith and Toby Harrison

Ogilvy Australia

A leader’s role in rebuilding a culture of confidence

Every day, there are new predictions and studies on the future of work, the state of the economy and the unfolding global pandemic. All of which creates uncertainty and heightens the imperative of effective leadership.

Michelle Gibbings

Workplace expert, author

Confused About Your Customers?​

​I've worked in brand and marketing for more than 20 years. But there’s one area where I’ve found myself going around in circles and I must admit I'm becoming increasingly confused.

Rich Curtis

CEO, FutureBrand A/NZ

Sign in