Page 14 - IMDR Journal 2025
P. 14
Research Article
planning, technical controls, vendor management, practical way to balance is to treat security dollars as
budgeting, and communication. Each would be guided by insurance: determine a reasonable budget to reduce risks to
best practices (e.g., NIST and ISO guidelines) to ensure the an acceptable level. For critical systems (like customer data
company is more resilient to future attacks. portals), higher security investment is justified. For less
3. How would transparency and timely disclosure help in critical functions, basic controls may suffice. Regular risk
a breach situation? assessments can help reallocate resources as priorities
change.
Transparency is crucial for maintaining trust. Legal
frameworks like the EU’s General Data Protection In summary, companies should not view cybersecurity as a
Regulation (GDPR) require companies to report breaches to burden but as protecting a key business asset. Decision-
makers can use models (e.g., FAIR – Factor Analysis of
authorities within 72 hours. By promptly informing
Information Risk) to estimate expected losses from cyber
regulators and affected individuals, companies. Comply
with regulations, avoiding additional fines, and also events and compare them to security program costs. When
demonstrate responsibility. For example, BA reported the done transparently, boards can integrate cybersecurity
breach to the ICO on September 6, 2018, meeting the 72- budgets into overall strategic planning. This way, security
hour notification window. This adherence helped limit investment is balanced with other priorities in line with
regulatory penalties (though BA still received a fine, the quantified risk.
process aligned with the rules). 5. What is the reputation impact of breaches, and how do
Beyond compliance, public trust is at stake. Customers feel organisations manage them?
betrayed if a breach is hidden or covered up. Studies suggest Breaches can severely damage an organisation’s reputation.
that evasive or delayed responses can severely erode Customers expect companies to safeguard their data; when
consumer confidence. A clear, honest admission—even if this trust is broken, they may lose confidence in the brand.
bad news—can mitigate panic. For instance, BA issued The BA breach generated widespread media coverage and
formal apologies and offered affected customers negative press. Immediately after BA disclosed the attack,
compensation, which, while costly, was necessary to show its parent company’s share price fell by about 2%, reflecting
accountability. Forbes notes that losing customer trust can investor concern. News articles emphasised BA’s apology
have long-term costs to brand value. By contrast, transparent and the unprecedented nature of the hack, highlighting a
handling can preserve some goodwill. Quick disclosure also blow to the airline’s image. Similarly, the SFO’s incident
empowers customers to take protective actions (e.g. raised questions about the airport’s security competence
cancelling cards) and prevents rumour-driven speculation. among employees and contractors.
In short, transparency is part of crisis management best To manage reputational harm, organisations typically take
practices: it satisfies legal duties and can reduce reputational
several steps. First, they publicly acknowledge the incident
harm. Companies should thus develop communication
and apologise, which humanises the response. BA’s CEO
plans that ensure rapid, honest notification of stakeholders, issued apologies and offered credit monitoring, signalling
regulators, and the public when breaches occur. care for customers.
4. How to balance cybersecurity investment with other Second, they implement remedial measures and
priorities? communicate them: after the BA hack, the company
Balancing security spend against other business needs is announced system upgrades and waived some fees to
essentially a risk management question. Organisations compensate affected passengers. Third, PR campaigns and
should adopt a risk-based approach, aligning cybersecurity advertisements may be used to rebuild trust over time.
budgets with the value of assets and the level of threat. The According to Forbes, preventing loss of customer trust is
NIST CSF endorses this approach, allowing companies to extremely hard—
tailor security “appropriately” to their risk environment. “Rebuilding a brand’s reputation is a complex and expensive
This means analysing potential breach costs (fines, endeavour”. Therefore, proactive reputation management is
remediation, lost sales) versus the cost of preventive essential.
controls. Studies show that severe breaches can inflict
millions of dollars in losses; for example, industry estimates In practice, companies often set up dedicated web pages or
put the average breach cost in the multi-million-dollar hotlines for breach inquiries, update customers via email or
range. In a Forbes Technology Council analysis, experts media, and engage with regulators and law enforcement
argue cybersecurity should be viewed as a strategic publicly to show compliance. They also monitor social
media and the press to counter misinformation. Over the
investment that protects revenue and brand value.
long term, firms invest in highlighting security
Empirical data indicate that many organisations underinvest improvements and may obtain third-party assurances (like
in security. A 2025 report found only 3% of companies felt security certifications) to reassure stakeholders. Ultimately,
their budget fully covered all cybersecurity needs. managing reputation after a breach requires transparency,
Meanwhile, 52% wanted more funding for security empathy, and concrete actions to demonstrate learning and
personnel and 57% for new technology. This suggests a improvement.
disconnect between perceived risk and spending. Boards 6. Are existing cybersecurity measures at SFO and BA
must recognise that underfunding security to save costs adequate given evolving threats?
often leads to far greater losses when an incident occurs. A
5
