Cyber-criminals are assaulting every part of the enterprise. But not all cyber-attacks are created equal. In the minds of senior executives, the greatest danger of cyber-attacks is damage to the reputation of the firm with its customers.

1. © The Economist Intelligence Unit Limited 20161
A report from The Economist Intelligence Unit
Protecting the brand—cyber-attacks and the
reputation of the enterprise
Cyber-criminals are assaulting every part of the enterprise. But not all cyber-attacks
are created equal. In the minds of senior executives, the greatest danger of cyber-
attacks is damage to the reputation of the firm with its customers.
The need to prioritise defences
Each year sees another jump in the volume of serious attacks—major security incidents
were up 38% last year according to the consulting firm PwC.1
These attacks are
becoming more sophisticated and successful—witness an 82% jump in the costs of US
cyber-crime over the past six years.2
Finally, the number and variety of threats are
proliferating, as well-funded cyber-criminals devise new ways to attack the firm—with
over 31 distinct types of cyber-attacks listed on the web site of Cyber Security Crimes.3
This deluge in volume, severity and type of attack is forcing many Chief Investment
Officers and Chief Information Security Officers to rethink their strategies. “The assumption
has to be that not only will you be attacked, but that some attacks will be successful,”
says Thomas Ordahl, Chief Strategy Officer at Landor Associates. “Planning has to begin
from there.” A key assumption is that you cannot defend everything therefore you
position your resources, technology and attention around your most key assets.
1 Increase in 2015 over 2014, The Global State of Information Security® Survey 2016, PwC, February 2016.
2 2015 Cost of Cyber Crime Study: United States, Ponemon Institute, October 2015.
3 Types of Cyber attack or threats, Cyber Security Crimes, www.cybersecuritycrimes.com, 2016.
Sponsored by
A key
assumption is
that you
cannot defend
everything
therefore you
position your
resources,
technology
and attention
around your
most key assets.

2. © The Economist Intelligence Unit Limited 20162
Protecting the brand—cyber-attacks and the reputation of the enterprise
The greatest harm a cyber-attacker can cause—loss of
customers’ trust
In January-February 2016, The Economist Intelligence Unit (EIU), sponsored by VMware,
conducted a global survey of 282 C-suite members4
on their greatest concerns in cyber-
security. Respondents are from large companies (ranging from $500 million to $10 billion
in revenues), are located in 16 countries and represent a range of industries.
When asked about the greatest damage that cyber-attacks could do to their
companies, their response was clear—“our reputation with our customers” was the
greatest concern by a sizable margin.
Why is protecting the company’s brand so critical in cyber security? “The brand of the
company is the most valuable asset because it touches all things,” says Mr Ordahl. “It is
behind growth and revenues. It is also the asset that when compromised…is least easily
fixed.”
Brand reputation is also seen as a fragile asset. “It can take decades to build your
reputation with customers,” says Leslie Gaines-Ross, Chief Reputation Strategist at
Weber Shandwick. “Then while you are asleep an attack can take place, and when
you wake the reputation can be gone.”
The reason why cyber-attacks can be so damaging to a company’s reputation is that
the damage is not contained to the company itself—they also expose customers to
the danger of identity theft or financial losses. Customers are keenly aware of this. “The
customer decides that this is a company that is not prepared,” says Ms Gaines-Ross.
“There is a negative halo effect: they go beyond the incident to question its products
and controls.”
And the attack itself is just the beginning. All of the companies targeted in top ten
cyber-attacks in the last five years have been hit with shareholder or customer lawsuits.
Beyond the damages awarded, these highly publicised events keep the breach in the
news and high on public awareness.
4 Titles included CEO, President, CFO, COO, Chief Marketing Officer, Chief Sales Officer and Managing Director. The CIO
was excluded in order to capture the views of non-IT professionals.
Source: Cyber-security: The gap between the C-suite and the security team, 2016
What is the single most important asset in your company that needs to be
protected from cyber-attacks?
(% respondents)
Our reputation with our customers
Private intra-company communications
Strategic plans and initiatives
Regulated data
Customer information
Applications and services
Product specifications and pricing
Proprietary processes
Proprietary research
Employee information
Liquid financial assets that could be stolen
25
14
12
12
10
8
6
6
4
3
1
A successful
breach is not
just an attack
on the
company, but
a direct attack
on its
customers.

3. © The Economist Intelligence Unit Limited 20163
Protecting the brand—cyber-attacks and the reputation of the enterprise
Although intangible, damage to a
company’s brand has a very real impact
on financial performance. After Target
revealed a breach that leaked information
on as many as 110 million customers, for
example, its sales dropped 4% and its profit
plunged nearly 50% in the following
quarter. The share price fell 46% and the
CEO lost his job.
The C-suite is not only concerned about
the consequences of an attack, but also
about the likelihood of it happening. Over
a quarter of C-suite executives, and 38% of
IT executives, believe that there will be a
severe and successful attack on their firm
within three years. Over 60% of executives
believe that the incidence of attacks on
customer-related data will increase over
the coming year.
The problem is that cyber-criminals place
as high a priority on the customer-
information assets as does the firm. There is
an active and liquid criminal market for
customer information—credit card
information, social security numbers,
health information—which incentivises its
theft. Just as customer data remains a
priority for the enterprise, so it will be a
priority for cyber-criminals.
The protection of customer data—getting everyone in sync
Most companies acknowledge that they cannot defend everything. Therefore, it is
critical that a priority list is established, allocating resources and funding to protect the
firm’s most valuable assets. This requires a unity of purpose in all parts of the company
that touches cyber-security.
As noted above, the company’s leadership is clear that it believes the asset that most
needs protection is “our reputation with our customers”. Unfortunately, they do not
appear to be in sync with the security team who has to allocate and operate cyber-
protection programmes.
Whereas the leadership is focused on the company’s reputation—its top priorities are
reputation with customers and disclosure of sensitive internal communications—the
security leadership is focused on protecting data assets such as regulated data and
customer information.
Source: Economist Intelligence Unit survey, 2016
Within 90 days Within one
year
Within three
years
A serious cyber-attack is one that
succeeds in breaching your company’s
defences and causes harm to the
business. How likely is it that your firm will
experience such an attack within the
following time frames?
(% respondents)
12
22
26
Source: Economist Intelligence Unit survey, 2016
Attacks will
decrease
Attacks will
stay the same
Attacks will
increase
Please provide an estimate of the change
in cyber-attacks involving customer
information
(% respondents)
1
38
61
Over a quarter
of C-suite
executives, and
38% of IT
executives,
believe that
there will be a
severe and
successful
attack on their
firm within three
years.

4. © The Economist Intelligence Unit Limited 20164
Protecting the brand—cyber-attacks and the reputation of the enterprise
This misalignment speaks to a larger issue—while the C-suite takes a longer-term,
strategic view of cyber-security, IT executives appear to take a more tactical approach
that focuses on individual data sets and assets. Security executives need to make sure
they pursue a holistic cyber-security strategy that aligns with the priorities of the firm.
Managing the successful attack
Every company must plan for an attack that has already happened. “Companies
have to plan ahead for managing the attack,” says Mr Ordahl. “You don’t want to be
figuring out how to manage your response in the middle of the crisis.”
Here are some leading practices:
l Have a flexible architecture-based defence that allows IT, upon notification that a
breach has taken place, to identify, mitigate and contain the attack. Breaches are
like cancer—if you can spot and treat them early, you can reduce the seriousness of
the disease.
l Have a crisis management plan in place—one that assumes the worst: that
significant customer assets have been compromised. This involves multiple
stakeholders, particularly the CIO and the CMO, who need to work together to
protect the brand.
l Come clean and disclose the full extent of the breach to your customers and
regulators. “You will have more of a crisis on your hands when you are not
transparent,” says Ms Gaines-Ross. “If you are not open in the first 24 hours, the
solution will be worse than the crisis.” When you have disclosed the last bit of bad
information, that is the start of rebuilding the brand. A slow drip of bad news will just
prolong the pain and increase the mistrust.
Source: Economist Intelligence Unit survey, 2016
What is the single most important asset in your company that needs to be protected
from cyber-attacks?
Select one. (% respondents)
C-suite priorities
Security leadership priorities
Our reputation with our customers
Private intra-company communications
Strategic plans and initiatives
Regulated data
Customer information
Applications and services
Product specifications and pricing
Proprietary processes
Proprietary research
Employee information
Liquid financial assets that could be stolen
25
16
14
6
12
7
12
25
10
20
8
14
6
1
6
5
4
5
3
4
1
1

5. © The Economist Intelligence Unit Limited 20165
Protecting the brand—cyber-attacks and the reputation of the enterprise
l Don’t just talk about the problem—you should also talk about the solution. You need
to make clear what happened but you should also take control of the dialogue by
explaining what you are doing to fix the problem. “Your customers have to know
that this will never happen again,” says Ms Gaines-Ross.
l Conduct a forensic analysis of the breach and your response. A diverse team of
stakeholders—from IT, legal, press and others—should conduct a post-mortem on
the origins of the breach and its management by the firm. A premium should be
placed on plugging the hole that allowed the breach, so that what happened
before will not happen again.
Conclusion
“He who defends everything defends nothing” is a classic military quote that now
applies to cyber-security.
The most effective cyber-defences will be those that concentrate resources where
they are needed. For most firms, the most precious asset that they have—and the
hardest to recover once lost—is the trust of their customers. This is also the asset that is
most at risk through the attacks of hackers and cyber-criminals. Firms need to build
security architectures that are flexible and modular enough to provide higher levels of
protection against any attack that jeopardises the customer relationship—the first
priority in cyber-security.