When Your Reputation Gets Short-Circuited
November 14, 2016
By Hubert Klein, CFE, CFF, CPA, ABV, CFF, CVA
EisnerAmper’s Board Survey Highlights Cybersecurity Risks
“It takes 20 years to build a reputation and five minutes to ruin it.” That’s a quote from someone who knows a little bit about business: Warren Buffett. In fact, in an era where social media has a significant impact and companies are increasingly directing customers to their websites for information or to place orders, a simple keystroke can destroy a company’s reputation in seconds.
Perpetrators come in all forms. It can be a 63-year-old bookkeeper at a Chicago not-for-profit stealing a few hundred dollars to a foreign-based 20-something swiping millions of Social Security numbers. Sure, you can quantify the number of accounts hacked and dollars lost. (According to the Association of Certified Fraud Examiners, the typical company loses 5% of annual revenue to fraud, with median loss $150,000.) But assessing the impact of something subjective, such as impact on reputation, is much more difficult and generally takes much longer.
Cyber Fraud and Reputation
One of the fastest growing areas of fraud is cyber fraud. It can result in business disruption, theft of assets or intellectual property, blackmail, false rumors, even detriment to product safety, as happened when the reports of a pacemaker manufacturer left its products vulnerable to cyberattacks.
Why go through someone’s garbage to steal a single bank statement when, with a little technology, some know-how and the motivation to be a bad actor, you can steal millions of account numbers from the comfort of your own home?
For the past several years, EisnerAmper has conducted an annual Concerns About Risks Confronting Boards survey with members of boards of directors across a variety of public and private companies as well as not-for-profits. Recent reports revealed some interesting discoveries with respect to reputation and cybersecurity:
- A total of 75% identified reputational risk as a top concern of their boards. (2 years ago)
- Seventy percent of public companies and 61% of private companies say cybersecurity one of the most important risks they face.
- Cybersecurity is the concern that has increased the most over the past 3 years (8%). (2 years)
- A total of 66% of companies have staff that deal with cybersecurity risks. (2 years)
- Only 20% provide training on reputational risk protection. (2 years)
Clearly there is causality between cyber exposure and reputational risk. Read the 7th Edition Survey Results Preview of EisnerAmper’s Concerns About Risks Confronting Boards.
A Step Ahead
One of the problems of cyberattacks is that the bad actors always seem to be a step ahead when it comes to technology. If one tactic doesn’t work, try another: viruses, worms, phishing, ransomware, spyware and the list goes on. The migration to mobile technology only raises the stakes.
Another issue is that some companies choose not to report these incidents. They may acquiesce and pay ransomware in order to get their computer files back. Why would they take this confounding course of action? Many fear bad publicity, regulator consequences, and reputational impact if the story gets out.
A study by the Ponemon Institute found that 85% of respondent businesses admitted that they have experienced a data security breach. Amazingly, 46% of those businesses didn’t implement encryption solutions even after a data breach.
Learning the Hard Way
Look at the 2013 hacking incident against Target. More than 40 million accounts were exposed. How? It was actually through a third-party vendor, an HVAC contractor. The result? Target’s sales fell by 46% and it had $236 million in related costs.
Even more recently was the Wells Fargo case. Employees created approximately 2 million unauthorized customer accounts in order to meet sales goals. The result? The company was fined $185 million and had to spend millions in revamping its internal audit processes, 5,300 employees were terminated, the CEO was raked over the coals by the House Financial Services Committee, and the Better Business Bureau revoked its accreditation.
However, there does seem to be a paradox. After major data breaches at Sony, Home Depot and EBay, there was an immediate dip in the companies’ stock prices; however, long-term, the stocks ultimately recovered and even grew.
While it may seem an uphill battle, there are proactive steps a company can take to secure its data and protect its reputation:
- Data security and brand reputation need to be emphasized from the leadership down.
- Invest in the proper technology and people.
- Include all stakeholders: staff, clients, vendors, the community, investors.
- Have a code of conduct, internet policy and crisis management system. Update them regularly.
- Conduct employee training.
- Have surprise audits, rotate positions, and hold penetration testing to determine cyber vulnerabilities.
- Use multi-factor authentication for devices.
- React quickly to breaches. Immediately notify customers and remedy problems (i.e., provide free credit monitoring). Be transparent with stakeholders, the media, and the authorities.
- Provide a fraud hotline and/or a whistleblower system.
While you can’t guarantee 100% protection, the key is to be proactive instead of reactive. This will help you maintain the reputation you’ve worked long and hard to develop.
FRAUD WEEK ARTICLES
- Tone at the Top
- Fraudulent Disbursements - Billing Schemes
- Recognizing and Preventing Identity Theft
- When Your Reputation Gets Short-Circuited
- When To Conduct a Fraud Risk Assessment
- Fraud Risk Assessments: A Key Tool for Organizations, Forensic Accountants and Internal Auditors
- Workplace Fraud – Limiting Opportunity
- Can You Trust the Trustee?
- Tips Still Top the List of Fraud Detection Methods
- Fraud Detection – Why, How and When
- The Financial Cost of Occupational Fraud on Business
- Overcoming Expense Reimbursement Fraud