Look at the fallout over the TalkTalk fiasco and it's clear that the first victim in a hack attack is the brand, and nothing could be more squarely situated in the CMO's court. If you were considering switching a telephone, broadband or Internet television subscription right now, how high up the short list would TalkTalk make it? There are some other names that have been more famously hacked such as Xbox and Sony, but they had the benefit of offering something unique, such as a gaming platform or content that people want to engage with. TalkTalk is just a telecom company, and for many customers in the UK who live outside urban hot spots, it's likely that all they do is sell on BT's service under their own name. So unless there was an amazing offer, why would anyone now take the risk?
TalkTalk had been warned that its security was not as good as it could be, and it had had a couple of minor scares before last week's potentially massive breach in which it was initially feared that more than four million customers, past and present, may have had their bank details stolen. I will suspect that number will be confirmed as much lower and that virtually no one will suffer a material loss from the breach, because having someone's bank account number is a very different prospect from having their passwords. Attempts to take money from accounts is one thing, getting those funds is quite another.
The real issue is customer trust, that is not really helped by news that a fifteen-year-old youth has been questioned over the attack -- being targeted by ruthless cybercriminals who could bring down governments may be forgivable, being brought to your knees potentially by a boy who should have been revising for mock GCSEs is just laughable.
The only thing that will make TalkTalk's subscriber numbers bearable when the current quarter is reported at the start of next year will be the fact that customers are generally tied in to deals and so there is a financial penalty for switching until a contract has been honoured. TalkTalk has hinted that it might relax charges, given the circumstances, but I very much doubt they will or else they will see a huge churn to BT and other rivals. Instead, people will vow to move and after a few months have gone by, normal life will take over and they'll forget about the whole fiasco.
I'm always suspicious when cybersecurity experts claim that companies go out of business over breaches and huge names can be toppled in a morning. They never seem to be able to produce an example of a mega brand that was crushed by a hack attack but merely those who had to endure a lot of embarrassing headlines for a month before life moved on.
Nevertheless, the damage to a brand's name can't be taken lightly, particularly when it is a utility selling pretty much exactly what dozens of rivals are selling. So, to come full circle. Any CMO who thinks that cybersecurity is in IT's court and any CIO who thinks brand reputation belongs solely to marketing need to seriously think again. As the past few days have shown us, it's probably the one area where their influences within the organisation completely overlap. CMOs need to be asking if their brand encrypts personal information, how it is handled and stored, is access to customer details limited to a layer cake of ascending seniority or can all staff access whatever they want with a password they get on day one and just might accidentally give out in a phishing attack.
If a CMO has no clue what is being done to protect customers, how can they be expected to defend the brand and give assurances on why it should be trusted?