Survey: Consumer Confidence in the Security-Breach EraJune 11, 2014 by Daniel Humphries
We live in the age of the security breach. Over 100 million people have been affected by the recent hacks at Target, Neiman Marcus, Michael’s and, most recently, eBay. Cyber criminals seem to be getting better and better at stealing confidential data and credit card numbers, while even large, well-funded corporations appear increasingly helpless before them.
With so much security failure at such a high level, we at Software Advice wondered what impact these repeated, successful attacks are having upon consumer perceptions. Do shoppers feel safe when using payment cards? Whom—besides the criminals—do they hold most responsible for breaches? And what do they think can be done about it? Companies need to know these answers if they are to regain the confidence of their customers.
We surveyed 1925 people in the U.S. to shine some light on this complex matter. The survey included five questions, each of which was seen by at least 385 unique respondents. Here’s what we found:
- Most consumers are concerned about payment card security, but there has not yet been a collapse in confidence.
- The majority of consumers view security as a spending and a technical issue, and do not regard breaches as a result of CEO failure.
- Almost 50 percent of consumers say that there’s nothing a company could do to win back their confidence if it lost their personal data.
Consumers Mostly Confident About Personal Data Security
First we wanted to gauge how safe consumers feel when using their credit and debit cards, to reveal the extent to which the series of high-profile hacks has damaged confidence in the ability of firms to keep customer details secure.
How confident are you that your personal information will not be stolen when using your credit/debit card?
As the chart shows, the majority of consumers remain fairly confident about the security of their personal information: 33 percent of respondents selected the option, “I have concerns, but feel pretty safe overall,” while another 13 percent selected, “Totally confident; I feel very safe.” Thus, close to half of payment card users (46 percent) are optimistic about the security of their details.
Of the half that is less confident about security, 22 percent selected, “I’m increasingly concerned I’ll get hacked,” while a mere 7 percent were pessimistic about security, selecting, “I expect to get hacked; it’s inevitable.”
The most confident consumers of all are surely the 25 percent of respondents who told us that they don’t use credit or debit cards. Given the seeming ubiquity of plastic in U.S. retail, this may seem like a high number, but in fact it maps closely to other surveys of credit card usage.
If you remove this group from the results, you are left with a clear majority of respondents feeling either “very safe” or “pretty safe overall”: 62 percent, in fact.
How confident are you that your personal information will not be stolen when using your credit/debit card?
Rightly or wrongly, many customers still feel pretty relaxed when entrusting their card details to retailers. For businesses, this is good news: even after a series of high-profile hacks, many consumers still trust them to keep their personal data secure safe from theft.
Consumers Blame Tech Staff for Breaches
IT security is extremely complicated, and so many factors can lie behind a breach that it can take months for experts to come to a conclusion about how or why a specific security failure occurred.
For instance, the Target investigation exposed a lot of alarming information—that the company had no Chief Security Officer (CSO), and had ignored warnings from its state-of-the-art defense systems. As more details emerged, heads rolled. The company’s Chief Technology Officer (CTO) Beth Jacob resigned in March, while CEO Gregg Steinhafel followed two months later.
But while such steps may be necessary to appease shareholders when a high-profile breach occurs, who does the public hold responsible? We asked our survey-takers who is to blame.
Aside from the cyber criminals, who do you blame most when a company gets hacked and customer data is stolen?
Here the majority chose “I don’t know”—which is an eminently reasonable, rational and fair-minded response, given the amount of data and detail involved.
Of those who did hold an opinion, however, 31 percent held the technical staff responsible, while the other potential culprits we presented them with—the company’s CEO and the government (our full option read: “The government; we need more regulation.”)—both polled a mere 9 percent each.
This data suggests that high-profile firings of CEOs do little to boost public confidence, as security lapses are regarded as an inadequate use of technology, rather than a failure of executive management or corporate strategy.
Consumers Unforgiving If Personal Data Leaked
The cost of a data breach can be enormous, as fines, legal fees and other requirements can rapidly escalate into the tens of millions of dollars (and keep on climbing). But there are other costs which are much trickier to track, such as the impact a breach has upon consumer willingness to continue to do business with a brand.
This is difficult to measure, because so many variables are involved. Target profits fell 46 percent following the data breach, but this drop had many contributing factors besides security. For instance, Forbes reported that the company has been struggling with its first attempt at foreign expansion, and lagging behind rival Wal-Mart in other areas.
Still, it seems highly likely that when a company suffers a catastrophic breach and loses many of its customers’ credit card numbers to thieves, that will have a negative impact upon those customers’ willingness to continue shopping there. And so we asked:
If hackers stole your personal data from a company you shop with, how would that impact your willingness to continue buying from them?
And here the data was clear. Thirty-five percent of respondents said they would stop shopping at a company altogether if it lost their personal data, while an additional 23 percent said they would be “much less likely to shop there.”
By contrast, a mere 22 percent said they would be willing to overlook a breach.
With figures like this, it’s clear that breaches do drive customers away. And while large firms with deep pockets may be better able than smaller ones to ride out the storm and wait for customers’ memories of the breach to fade, many millions of dollars will be lost in the interim.
Sometimes, however, the reputational damage caused by a breach is so severe that a firm cannot recover. For instance, in June 2005 it was revealed that credit card processing company CardSystems Solutions had lost 40 million card numbers to cyber thieves. Visa and American Express both dropped the company, and six months after the breach was announced, CardSystems Solutions was acquired by Pay By Touch (which itself folded in 2007).
More Spending on Security Can Boost Confidence
That’s not the end of the bad news for companies that have suffered a breach. Not only does losing customer data impact consumer willingness to continue to do business with you—there is also very little you can do to persuade customers to return once they leave.
What could a company that had lost your data to hackers do to make you feel more confident about shopping there again?
Forty-four percent of respondents told us that there was “nothing” a company could do to make them feel confident about shopping there again if it lost their data. The picture is not entirely hopeless, however: Steps can be taken towards remediation, as almost one-third said that increasing spending on security measures would improve their confidence.
Other measures are less effective. Offering free credit reports will not do much to restore consumer confidence, and neither will firing the person most directly responsible—presumably not even the CTO, even though question three above revealed that many consumers view breaches as the fault of technical staff.
Consumers Want Harsher Criminal Penalties
Finally, we wanted to know not only who customers hold responsible for breaches, or how firms can restore confidence—but what the public regards as the best solution to the epidemic of breaches.
Lots of companies and organizations are getting hacked and losing customer information. What is the best solution?
Here, it was a close call between more spending and more punishment, with punishment coming out ahead: a total of 36 percent view that as the most effective solution, versus 35 percent who want to see more spending on security. More spending is thus a common theme, and is something companies can actually do (while increasing penalties for hackers is less so, unless companies want to start lobbying Congress).
Beyond toughening sentences, however, there was little appetite for more government intervention: Just as few people blame the government, very few people place any hope in the government’s ability to fix the issue. Indeed, a mere 9 percent want to see more regulation.
We also left an open option so that respondents could make their own suggestions. Here it was striking that nobody suggested the adoption of a chip-and-pin payment system, as is common in the rest of the world—and which U.S. retailers will in fact be adopting in October 2015.
This suggests that unless wide-scale public education starts very soon, there will be a great deal of chaos and confusion when the changeover occurs next year. Indeed, capital punishment for a hacker’s second offense garnered more support (suggested by one respondent) than chip-and-pin.
This survey was about public perception, and while the public is largely unforgiving when firms lose their personal information to cyber criminals, there is hope for companies that have suffered a breach. For while only around half of respondents say companies can do nothing to restore their faith in the aftermath of a breach, the majority of credit card users still feel fairly safe when using their cards in stores. Increased spending on security can also reassure some customers.
Of course, whether or not increased spending on technology (or other suggestions, such as more severe punishments) is really an effective solution to the problem of breaches is another matter. Target, after all, had some very high-end security tools in its arsenal, and the firm even received repeated alerts from its systems that it had been breached.
Ultimately, firms must study closely the fates of those (such as Target) that have suffered from breaches and make sure not only that they are spending money on security measures, but also that they are selecting and configuring the solutions they choose carefully, training employees how to use them and developing a culture where security is taken seriously, from the C-suite to entry-level positions. This approach is most likely to improve company security and produce the kind of results that, in turn, will improve consumer confidence.