70% to 80% of the market value in today’s economies comes from intangible assets such as brand equity, intellectual property, and goodwill. This ratio makes businesses vulnerable to just about anything that can damage their reputation.

While the C-suite and boards are aware of the threat to their business’ reputation, it is not always the technical team’s top priority. Even worse, there is no room for reputational risk in the priority list for small businesses (SMBs) with even less resources. In this blog, we define reputational risk and most importantly – why managing reputational risk matters in the digital era regardless of company size.

Understanding Reputation and Risk

To be able to understand reputational risk, you must first define it.

Reputation: The public’s current perception, regarding a brand, person, company, product, or service.

Reputational risk remains a major issue for companies, especially in a modern world where everyone can share their views in seconds. Companies with positive reputations draw in more customers because they are viewed as having greater value. As a result, their clients are more loyal and often buy more products and services.

Reputational harm increases the likelihood of poor visibility, such as media or ads which can have ongoing consequences online. Even worse, enough damage can eventually affect revenue.

The greatest risk associated with reputational risk is unpredictability. Uncertainty around your organization’s reputation and lack of preparation for reputational damage can be devastating to an organization, depending on the severity.

Warren Buffett

Why does Reputational Risk Matter for Small Businesses?

The pandemic has expedited the digital transformation for small businesses more than ever in history.

In a press release, Jimenez, AVP, Head of Digital Transformation & SMB Research at IDC, stated, “Small businesses are realizing that digitalization is no longer an option, but a matter of survival.”

Small businesses come in various sizes and shapes, therefore, so is the level of digitalization. For example, you might be working for a small manufacturing facility with minimal assets on the internet or cloud, or work for a company operating remotely that relies heavily on collaborative technology and smartphone apps. While digitalization has been regarded as a matter of survival in the past year, it has also brought in new reputational risks to cyberspace.

One commonality among the majority of SMBs is the huge disconnect between the way they feel internally and their security stance externally, according to a recent report.[1] The majority of this disconnect is attributed to budgetary concerns and limited IT / Security staff present at SMBs.

Despite resource limitations and misalignments, SMB’s (credit unions, healthcare clinics, etc.) should be just as diligent with their reputational risk and sources.

4 Common Sources for Reputational Risk

Many organizations are linked through the Internet to consumers, vendors, and other stakeholders, making them more vulnerable targets within a matter of seconds.

Social Media

Reputational harm may occur from the use (or misuse) of social media by an unwary staff member, external organization, or the business itself. How an organization advocates for itself and the general public can quickly be taken out of context via messaging, imagery, and dozens of other mediums.

Bad Coverage

Every business needs to track online reviews as well as comments on social media sites, forums, or anywhere customers may be discussing the organization’s reputation.

Breach of Assets

Data breaches can affect the credibility of any business. Your customers trust your business with their data. However, if their sensitive data is sold in the black market (SSN, DOB’s, etc), significant damage is likely to follow. According to the Small Business Administration, phishing emails administered to employees are one of the largest sources of data breaches, as they often navigate around computer infrastructure.

Changing Regulatory Landscape

Election cycles typically change rules and regulations. A business may satisfy compliance criteria under one administration, but may face liquidity risk under another. Be aware of the current regulatory landscape, as customers will source alternate options if they feel that your business is dysfunctional.

Recent Examples and the Relation to Business Loss

Reputational risk can pose a danger to the survival of the largest and best-run businesses by wiping out millions of dollars in market capitalization and future profits.

IBM’s recent Cost of a Data Breach Report 2020 [3] addresses the Lost Business cost in a data breach, which is closely related to reputational loss. According to this study,[3] lost business became the largest contributing cost factor, accounting for nearly 40% of the average total cost of a data breach. Other factors included Detection and Escalation, Notification, and Ex-post Responde.

Another known example of how reputation damage cost millions of dollars is Wells Fargo. Employees of the bank opened millions of false accounts, overcharged for auto insurance, signed up needless auto and pet insurance clients, and unintentionally foreclosed on hundreds of houses. The bank eventually had to fire more than 3,000 employees, including their CEO. Wells Fargo also paid a $185M fine over these account openings to restore its reputation.

Although the victims of the SolarWinds breach is currently scoped to 18,000 customers, the aftermath is still unclear for those who used trojanized versions of Orion Software. To date, the CEO has resigned and the company is still strategizing to restore its reputation.

Another example is the Target breach, which occurred due to a third-party vendor. The breach eventually exposed the personal data of 110 million customers. Target officials discovered the breach within 16 days and disclosed the news to the public 20 days after the discovery. Many blamed Target for the time it took to reveal the incident to the public. The customer perception took a 54.6 percent dip the year following the data breach.[2]

Reputational Risk as Part of Risk Management

Image by Steve Buissinne from Pixabay

Organizations should take a proactive approach in managing reputational risk, just as they do in organizational risk management. As part of risk management, and even cyber risk management, reputational risk can be quantified and regulated adequately by a company.  Such a methodology can help managers better identify current and future risks to the reputations of their businesses, and determine whether to accept a given risk or take steps to avoid or mitigate it.

The Role of SRS in Reputational Risk

Black Kite takes a proactive approach to reputational risk in cyberspace. Leveraging various cyber intelligence sources and having a dedicated main category named “Reputational Risk”, Black Kite continuously monitors a company’s digital reputation using the following categories:

  • Breach Index: Powered by multiple indicators across the platform, Breach Index is a key performance indicator that tracks data breaches and measures the severity based on the number of records compromised.
  • Social Media: Threat actors publicize their targets or victims on social network sites.  The findings of this category harnesses results from billions of pieces of social media content.
  • Brand Monitoring: A business analytics process is carried by monitoring various channels on the web or other media to gain insight about the company, brand, and anything explicitly connected to the company in cyberspace.
  • IP Reputation: IPs or domains are searched for in blacklists for possible use in sophisticated APT attacks.
  • Fraudulent Apps: Possible fraudulent or pirate mobile/desktop apps on Google Play, the App Store, and pirate app stores are searched for potential use in hacking or phishing employee or customer data.
  • Fraudulent Domains: Fraudulent or scam domain names are constantly searched in cyberspace. Domain name scams are types of intellectual property or confidence scams, in which unscrupulous domain name registrars attempt to generate revenue by tricking businesses into buying, selling, listing, or converting a domain name. Fraudulent or scam domains are frequently used by phishing attacks targeting either a company’s employees or customers.
  • Web Ranking: In this category the website of a company is ranked according to popularity, back-links, references, etc.

For each of the above categories, Black Kite assigns a letter grade as well as a grade on a 0-100 scale, providing a measurable indicator of reputational risk. With Black Kite’s continuous monitoring, a company can monitor its trending Reputational Risk based on its internet-facing assets, so that risk managers can take proactive actions on their brand reputation.

Learn more about the Black Kite platform and grading!


References

[1] https://www.datto.com/resource-downloads/Datto2019_StateOfTheChannel_RansomwareReport_NL-8.pdf

[2] https://www.varonis.com/blog/company-reputation-after-a-data-breach

[3] Cost of a Data Breach 2020, https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/

Cover photo by Pexels