Penn State, the venerable 150 year old institution, ranked 58th among the top universities in the world, was recently targeted in two sophisticated cyber attacks. The College of Engineering’s computer network was returned to service on May 18 after being disconnected from the Internet for a few days in response to the attacks. It turns out that the hackers made the first intrusion in September 2012.
It joins a growing number of research universities which have been attacked including the Massachusetts Institute of Technology, the University of California-Berkeley, Carnegie Mellon University, John Hopkins University and others. Penn State’s research focuses on aerospace engineering and includes significant work on behalf of the Pentagon. Hackers also target sensitive user information causing losses estimated to be worth $294 per record, according to the Ponemon Institute. It is no wonder that 71% of higher education CIOs are concerned with thwarting security breaches and have been busy fortifying their networks.
Universities are not lightweights in the IT security field. Penn State’s information security protocols and practices help block attacks on their 200,000 computer network from nearly 160,000 hostile systems every day. Passwords were compromised in the attack but there is no evidence that records were disclosed. It’s not clear if any research data was stolen.
Aligning Action to Expectations
First, a recap of the definitions of brand and reputation, two terms which are frequently confused as having the same meaning.
Brand is the company’s promise to stakeholders and influencers. Faculty, staff, students, alumni and others experience the Penn State brand first hand. An organization’s reputation, however, belongs to the public community. Perceptions are based on what others think and say, rather than personal experience. Future students and employers of Penn State students are key stakeholders concerned with reputation.
A recent FleishmanHillard-Lepere Analytics study measured the “Authenticity Gap“. That’s their term for the divide between what stakeholders expect from an organization and what they are actually experiencing. 30 percent of consumer expectations are focused on management behaviors. To avoid creating a chasm between management behaviour and expectations, act as your audiences would expect you to act.
Did Penn State management do the right thing in handling the breach? Did they have credible communications?
The university appears to have done a good job of disclosing its breach in a timely fashion and being accountable for it. The announcement of the breach was accompanied on the same day with a news post by university President Barron,
“This is an incredibly serious situation, and we are devoting all necessary resources to help the college recover as quickly as possible; minimize the disruption and inconvenience to engineering faculty, staff and students; and to harden Penn State’s networks against this constantly evolving threat.”
You can read the President’s message here.
The university warned thousands of individuals and its 500 public and private research partners, including government agencies, companies and other schools, of the risks of the data breach. The “Secure Penn State” website became the go-to-place for ongoing general news and information for the community and public, while providing specific guidance for faculty, staff and students.
Unseen efforts had already been underway since the school received an FBI alert in November 2014. They moved quickly to address the breaches, launching a comprehensive internal investigation, retaining FireEye for forensic services, and preparing for remediation.
Criticism or negative commentary has not surfaced on the cyber attack in the media – a sign that their reputation is not suffering damage. The breach was quickly and professionally disclosed, unlike many others that are never reported due to concerns over the impact on an organization’s reputation. Public organizations voluntarily follow the 2011 SEC recommendations for disclosure but sadly many keep the information quiet.
Would It Matter
How would an organization’s brand and reputation be impacted by a hacking? Brand and reputation damage are generally considered non-financial losses and difficult to measure. Anecdotal and survey information is available but better data is required, as is the case with losses involving sensitive user and R&D information.
Opinions vary depending upon the perspective – analyst, vendor, management or consumer.
In a recent Financial Times article, a Gartner analyst stated, “Negative reputational impacts are totally exaggerated . . . I think customers forget about a breach very quickly and it doesn’t impact their interest in buying goods or services from the breached company.” Marc van Zadelhoff, vice-president of strategy in IBM’s security division, agreed: “The more frequently data breaches occur, the more desensitised people become, resulting in less of an impact to the brand’s reputation.”
A 2012 study by the Economist Intelligence Unit revealed that an IT security breach can lead to dramatic and negative sentiment about a company and its image. Of the executives surveyed, 75 percent said IT risks can impact customer satisfaction and brand reputation. 61 percent said IT security breaches remain the greatest threat to their company’s reputation.
A university education ranks as one of the biggest ticket consumer products available. The brands and reputations of many consumer product companies have been undermined by negative experiences in the past. In a recent Deloitte survey, 59 percent of consumers indicated the knowledge of a data breach at a company would negatively impact their likelihood of buying from that company. Only half of the respondents indicated they would be “forgiving” of a consumer product company that experienced a breach if the company quickly addressed the issue.
Trust Under Threat
It’s ironic that as schools push to develop and store detailed profiles of digitally savvy students in the age of big data, they threaten the trust which those consumers have in their education institutions. There is a great deal more to learn about what it takes to meet expectations related to data privacy and security, and the potential impacts of breaches on brand and reputation.