Penn State, the venerable 150-year-old institution, ranked 58th among the top universities in the world, was targeted in two sophisticated cyberattacks. The College of Engineering’s computer network was returned to service after being disconnected from the Internet for a few days in response to the attacks. Passwords were compromised in the attack but there is no evidence that records were disclosed. It’s not clear if any research data was stolen.
It joins a growing number of research universities which have been attacked including the Massachusetts Institute of Technology, the University of California-Berkeley, John Hopkins University and others. In addition to R&D information, hackers target sensitive user data causing losses estimated to be worth $294 per record, according to the Ponemon Institute. Penn State’s information security protocols and practices help block attacks on their 200,000 computer network from nearly 160,000 hostile systems every day. It is no wonder that 71% of higher education CIOs are concerned with thwarting security breaches and have been busy fortifying their networks.
Aligning Action to Expectations
Brand and reputation are frequently confused as having the same meaning. Brand is the company’s promise to stakeholders and influencers. Faculty, staff, students, alumni and others experience the Penn State brand first hand. An organization’s reputation, however, belongs to the public community. Perceptions are based on what others think and say, rather than personal experience. Future students and employers of Penn State students are key stakeholders concerned with reputation.
A recent FleishmanHillard-Lepere Analytics study measured the “Authenticity Gap“. That’s their term for the divide between what stakeholders expect from an organization and what they are actually experiencing. 30 percent of consumer expectations are focused on management behaviors. To avoid creating a chasm between management behaviour and expectations, act as your audiences would expect you to act.
Towards Public Disclosure
The Penn State breach was quickly disclosed, unlike many others that are never reported due to concerns over the impact on an organization’s reputation. They moved quickly to launch a comprehensive internal investigation, retain FireEye for forensic services, and prepare for remediation.
University President Barron stated,
“This is an incredibly serious situation, and we are devoting all necessary resources to help the college recover as quickly as possible; minimize the disruption and inconvenience to engineering faculty, staff and students; and to harden Penn State’s networks against this constantly evolving threat.”
The university warned thousands of individuals and its 500 research partners, including government agencies, companies and other schools, of the risks of the data breach. The “Secure Penn State” website was the go-to-place for ongoing general news and information for students, faculty, staff and the public. Proactive communications would have reduced the risk of negative stakeholder feedback and media commentary on Penn State’s response to the cyberattack.
Would It Matter to the Brand
How would an organization’s brand and reputation be impacted by a hacking? Brand and reputation damage are generally considered non-financial losses and difficult to measure. Opinions vary depending upon the perspective – analyst, vendor, management or consumer.
In a recent Financial Times article, a Gartner analyst stated,
“Negative reputational impacts are totally exaggerated . . . I think customers forget about a breach very quickly and it doesn’t impact their interest in buying goods or services from the breached company.”
Marc van Zadelhoff, vice-president of strategy in IBM’s security division, agreed:
“The more frequently data breaches occur, the more desensitized people become, resulting in less of an impact to the brand’s reputation.”
A 2012 study by the Economist Intelligence Unit revealed that an IT security breach can lead to dramatic and negative sentiment about a company and its image. Of the executives surveyed, 75 percent said IT risks can impact customer satisfaction and brand reputation. 61 percent said IT security breaches remain the greatest threat to their company’s reputation.
A university education ranks as one of the biggest ticket consumer products available. The brands and reputations of many consumer product companies have been undermined by negative experiences in the past. In a recent Deloitte survey, 59 percent of consumers indicated the knowledge of a data breach at a company would negatively impact their likelihood of buying from that company. Only half of the respondents indicated they would be “forgiving” of a consumer product company that experienced a breach if the company quickly addressed the issue.
Reacting to an Evolving Threat
It’s ironic that as schools push to gather detailed profiles of digitally savvy students in the age of big data, they threaten the trust which those consumers have in their education institutions. Expectations for data privacy and security are clearly evolving, as demonstrated by anecdotal and survey information. Additional research is required to quantify the tangible and intangible impacts of the theft of sensitive user and R&D information.
As the frequency of cyberattacks increases, schools should monitor the opinions of students, partners and other stakeholders. Brand equity should be tracked to identify changes. Of course, students should be careful with the types of personal information which they choose to share with schools and others online.
Bryan O’Connor is the founder and president of the Brighteye Group marketing consultancy.