This article was originally published on LinkedIn.
More than a billion people were affected by data breaches in 2018. They had a broad range of personal data stolen ranging from passport, identity card and credit card data to health history, encrypted passwords, email addresses, phone numbers, birthdates, and relationship status.
Brands including Marriott, Google, Facebook and Cathay Pacific were all affected and throughout the year there was a steady drumbeat of companies announcing breaches, some of which had been happening over a period of months or years. At a local level even in Singapore – a small, but highly cyber-aware country – a Chubb survey of 300 SMEs found that more than half of them had been hit by cyber security breaches and errors in the previous 12 months. Multiply these events globally and it is easy to see why cyber incidents, together with business interruptions, top the 2019 Allianz Risk Barometer of global business risks.
Meanwhile, the GDPR in the EU and other regulations globally are forcing companies to be more transparent, which also means there is more news about breaches. With this quantum of cyber incidents and the amount of personal information compromised one might expect companies to be over-communicating to reassure customers, and for the public outcry to be greater than it has been. While fines have run in the millions of dollars and many apologies have been made with pledges to do better in the future, consumer outrage dissipated quite quickly.
Has the amount of news about data breaches made consumers numb to the problem? And, do companies now just view data breaches as an inevitable cost of doing business?
Common sense says we should care a lot more about our personal information being compromised. And companies should take more responsibility for protecting data, preparing for a potential data breach, and introducing protocols on how and when customers are advised of a problem. This is one aspect of crisis preparation and communication management. However, from a communications perspective how should we address the issue of “breach fatigue?”
Involving behavioral science as part of communications could be key to the solution by helping us to understand why apathy is settling in and offering a guide for what may inspire change.
A 2014 review of cybersecurity awareness campaigns highlighted that often they fail to change behavior, and that causing feelings of fear in people is not an effective tactic, nor is building awareness of the problem enough. Instead, the review recommends “targeted, actionable, and doable” security education with “simple, consistent rules of behavior that people can follow.”
In 2017 another study examined Twitter data for the two months following the US Office of Personnel Management (OPM) data breach in 2015. This study looked at the emotional response through an adaptation of the Five Stages of Grief theory, observing online activity around OPM announcements to track responses in terms of anxiety, anger, sadness and acceptance.
With a drip-feed of negative announcements from OPM (rather than one announcement of the full extent of the problem) during the two-month period, the study highlighted a first day drop-off in engagement of 35% rising to 84% during later announcements, indicating either an acceptance of the breach event or an apathetic perspective towards it “as would be expected with the onset of breach fatigue.” The study concluded that to address this it might become necessary “to intervene in the emotional response cycle to prevent emotional exhaustion.”
Making behavioral science part of the communications solution can help companies be more effective in their crisis communications, as well as being increasingly critical to the broader PR sector as my colleague Lily Kofler, part of the behavioral science team at Hill+Knowlton Strategies, recently described.
The ability to use behavioral science in no way detracts from the professional communications counsel practitioners provide. Instead it adds more information and an improved understanding of human reactions.
In today’s increasingly AI driven world, those human reactions can also be tracked online more effectively than ever before. Most excitingly, the latest technology promises more predictive social and influencer analysis where a potential issue can be identified before online escalation turns it into a full-blown crisis, as well as predicting the response from influencers better.
Since the average cost of a cyber-attack increased 62% in the five years to 2017, and the largest breaches today cost companies hundreds of millions of dollars, companies need to take the planning for and management of these events much more seriously.
Forrester predicts that 2019 will be a year of “unprecedented cyber threats to companies and individuals.” Against this unrelenting background the face of crisis communications is changing. A clear, and decisive, response is still imperative, but the way we get there is rapidly shifting amidst an arsenal of different communications tools, techniques and capabilities. Embracing these will make all the difference as companies grapple with this new norm of cyber breaches and fight the perils of “breach fatigue.”