Does your company have a data breach recovery plan? And does it include a communications strategy to protect reputation?
If your answer to either of these questions is ‘No’ then it is definitely time to take action now before a cyber breach occurs.
The likelihood of this happening increased dramatically last year. High profile cyber attacks at Yahoo, MySpace, Hewlett Packard Enterprises, Weebly, and the US Department of Health and Human Services released personal data on hundreds of millions of people. And these were just the headline-grabbing attacks. FireEye has noted that most cyber breaches in APac never become public because of ineffective breach disclosure laws, but that doesn’t mean they are not happening.
In Asia in 2016, for example, cyber attacks on SWIFT’s global financial network resulted in $81 million being stolen from Bangladesh’s central bank. Another example was felt by customers of Singapore telecoms company, Starhub, last October when a Distributed Denial of Service (DDoS) attack on domain name servers through compromised subscriber devices caused extensive web connection issues for broadband customers.
Cyber attacks cost APac businesses more than an estimated $81 billion in revenue in the first nine months of 2015 alone. And according to Allianz the main causes of economic loss after a cyber incident are business interruption, reputation loss, liability claims, and data restoration costs.
Reputation loss is a very real issue for companies, particularly at a time when trust in organisations is low, fake news is on the rise, and the power of the individual to influence the actions of consumers and stakeholders is at an all- time high (and likely to strengthen further).
In this environment companies need to be much more proactive in engaging with customers and explaining what has happened and what remedial actions are being taken.
As the Internet of Things becomes a reality risks only increase. Governments globally have recognized the threat that interconnected devices brings. More than 30 countries have unveiled cyber security strategies at a national level. Singapore, for example, launched a Cybersecurity Agency in 2015 to oversee policies and conduct cybersecurity outreach. With Singapore’s push to become a Smart Nation and a global fintech hub, managing cybersecurity effectively becomes critical.
Elsewhere in the world governments are enforcing regulations around data protection, effectively making it the responsibility of companies to protect customer data globally. One of the most far-reaching initiatives will be launched in 2018 across the EU when the General Data Protection Regulation comes into effect for companies operating in the EU, or companies where just one data subject is based in an EU country. The regulation calls for a 72-hour notice requirement to EU authorities for any data breach and fines of up to 4% of worldwide turnover for a breach.
With all these pressures for managing cyber threats one might imagine that this would head the list of concerns for risk managers. The latest Allianz annual survey of risk managers globally shows that risk managers in UK, Germany, S. Africa, France, USA, Australia and Spain take cyber incidents seriously, ranking them as their #1 or #2 concern. However, across Asia as a whole cyber risks come in as a #4 priority.
Asian companies should be more worried. Mandiant, a FireEye company, reported in August that organisations in APac allowed attacks to dwell in their system environments for a median period of 520 days – yes, that’s 18 months – before discovering them, three times the global median.
Two of my colleagues noted in a recent article that “Following a data breach, there’s really only two options: implement your data breach response plan, or begin to search the situations vacant pages.”
However, even in the US where breach disclosure laws are strong and the majority of companies have data breach response plans, an Experian survey shows that only 27% of respondents were confident that their organizations could minimise the financial and reputational impact of a data breach.
In Asia, getting companies to recognize the need to take cybersecurity seriously and to put in place a holistic data breach response plan was important last year but is absolutely critical this year as risks increase and consumer expectations on corporate accountability intensify.
This shouldn’t just address the issues from an IT perspective but also recognize the need to address the potential reputational impact on customers, suppliers and other stakeholders
From a communications perspective, effective planning should take into account:
- The required speed of response
- How to communicate to stakeholders, internally and externally, when the means of communication may have been compromised
- How to monitor, manage and respond to social media in real time
- Who from the management team can help contextualise the problem effectively with those impacted
- What specialised outside communication resources may be needed to support management’s efforts
- A plan to restore confidence and build brand reputation.
Linking communications into crisis response has never been more important and it is as much the responsibility of corporate and brand communications teams and their outside advisers to drive home the importance at the C-Suite and Board level as it is for other departments to recognize that communications is an important part of reputation protection and should be included.
If companies and organizations are complacent and only react when a data breach occurs, not only is it too late but the economic loss may force the company to close.
A large part of public relations is the creation, promotion, or protection of the reputation of companies and brands. Protecting around corporate risks is complex, but the prospect of cyber threats has to be recognized as much more of a concern than it currently is by companies across Asia.
Make 2017 the year to reverse this and place cyber response planning and testing at the top of the management reputation agenda.