As data breaches become more prevalent, the need for companies to focus on CSR also increases, says Vassiliki Bamiatzi of University of Sussex Business School

With today’s dynamic and rapidly changing work environments, business risks are inevitable. Always of concern to companies are incidents driven by external forces, including cyberattacks.

A cyberattack or data breach refers to an incident where unauthorised individuals or entities gain access to confidential information without permission. Such incidents may consist of different types of events, such as malware, ransomware, denial-of-service attacks, card payment fraud, malicious insiders, or even human error. And they’re not cheap – according to the Ponemon Institute, the average cost of a data breach in an enterprise or large organisation has now reached $4.35m. These financial losses can be the result of attackers stealing sensitive financial information, such as credit card details or banking credentials, leading to financial fraud or theft. Companies may also incur costs associated with incident response, recovery, and repairing damaged systems or networks.

In addition, the reputational damage a data breach can impose on an organisation is significant. These attacks can hamper trust with stakeholders, as well as damage a firm’s goodwill with its suppliers, customers and wider society. As all companies would agree – a good reputation takes a long time to cultivate in the first place, so when it is put at risk through a cyberattack, they have a significant amount to rebuild.

Addressing the impact 

So, how can companies minimise the damage caused by these incidents? Recent research conducted by my colleagues and I found that companies that invested in CSR (corporate social responsibility) activities prior to a data security attack helped them minimise the damage caused by a breach after the event had taken place. 

Broadly speaking, CSR involves integrating social and environmental concerns into a company’s business operations and interactions with stakeholders, including employees, customers, communities, and the environment. CSR initiatives can encompass a wide range of activities, such as ethical business practices, philanthropy, environmental sustainability, employee volunteer programmes, and community development projects. The aim of CSR is to go beyond profit generation and promote long-term sustainability and positive societal impact. With this in mind, our research has revealed that engaging in these practices and implementing a good CSR strategy can actually act as a buffer against unexpected negative events and fraudulent actions that could negatively affect a firm’s reputation and performance. 

Exploring a sample of 230 breached firms, we found that companies that introduced CSR activities experienced higher levels of trust and understanding from their stakeholders, especially during times of crises, and as a result an incident is more likely to be viewed as “an honest mistake” or simply bad luck, rather than poor management and negligence. Indeed, our research also found that some industries can benefit more from engaging with CSR activities before and after a data breach, and this is because they are more negatively affected by such cyber-attacks when they occur. This includes companies that operate in high consumer-sensitive industries. These are industries that produce goods and services primarily aimed at individual customers such as banking, retail, and food. 

These industries are more sensitive to data breaches for a number of reasons. Firstly, from a consumer’s point of view, within these high consumer-sensitive industries, customers and clients are more attuned to the use, protection, and dissemination of their personal information, since any mishandling can have detrimental effects on their personal and professional lives – therefore a data breach directly challenges the trust and reputational foundation of consumer-focused businesses. As well as this, from a practical standpoint, we expect that firms operating in industries that either handle large quantities of sensitive data or rely on consumer data, such as companies operating in high consumer-sensitive industries, to be lucrative targets for financially-motivated cyber attackers. As such, those firms in consumer-sensitive industries have the most to gain from exhibiting heightened CSR activities before and after a data breach, because they are not only at an increased risk of the attacks happening in the first place, but also the subsequent reputational damage that follows. 

Shielding against public opinion 

Despite the increasing consensus that socially responsible behaviour can act as insurance against externally induced shocks, supporting evidence remains somewhat inconsistent. However, our study provides a clear demonstration of the insurance-like properties of corporate social responsibility in the event of a data breach. By acting as a shield against public opinion, and preserving corporate reputation, CSR can ultimately lessen the negative implications of a cyberattack. This is especially relevant for those firms in consumer-sensitive industries, that we have shown to have the most to gain from exhibiting heightened social activities before and after an incident. 

So, as data breaches become more prevalent, the need to focus on CSR, particularly in consumer-sensitive industries, also increases. Therefore, CEOs of firms should take note of this study and take the opportunity to shelter their reputation and stakeholder relationships by intensifying their CSR activities.

About the Author

Dr Vassiliki Bamiatzi is Professor of Strategy and International Business (Strategy and Marketing)

University of Sussex Business School. This article is based on the 2023 research paper ‘Are the good spared? Corporate social responsibility as insurance against cyber security incidents’, which was published in ‘Risk Analysis – an international journal’ by Dr Bamiatzi and co-authors.