Guest article by Natali Brandis, Partner at strategic communications consultancy Kekst CNC, on the top challenges of communicating a cyber security incident.
With an increase of 67% in cyber security breaches in the past 5 years, the record GDPR fine of €204m for the British Airways Data breach and a growing diversity of sophisticated attacks, it’s not surprising that cyber incidents are listed as the top business risk for 2020 according to the latest Allianz Risk Barometer. In today’s digitally interconnected working world, cyber-attacks rarely affect isolated elements of a company but have an impact on multiple sites, departments and global business operations.
Against that backdrop, strategic communications with internal or external stakeholders has become a decisive factor in navigating through a crisis and protecting your reputation. Considering the development of the past years and the emerging trends, we see three major challenges when it comes to communicating a cyber incident:
1. Know your enemy.
Ransomware, cryptomining, DDoS-attacks, malware, data breaches…Not only the increasing number of incidents but also the increasing range of attack formats makes it harder to understand the motives of your attacker. But it’s crucial to identify exactly that if you want to be able to define effective counter action from IT, corporate security, HR and communications. Stakeholders, messages and reporting processes change depending on whether you are facing a data breach (like Mariott International), you are being blackmailed by hackers (like Travelex) or your company systems are collateral damage in a larger infrastructure malware hack (e.g. Maersk). Estimating the potential source of the cyber-attack is a first step. Often, the attacker might be closer than we think. While attacks are increasingly led by professional hacker teams, more than 60% of cyber-attacks are led by ex-employees.
2. Reporting pressure.
The GDPR, introduced in May 2018, require fast reporting following a data breach. Even in complex attack scenarios, companies are required to inform authorities within 72 hours and affected parties as soon as possible. GDPR violations result in both financial consequences and reputational damage. Mega data breaches (involving more than one million records) by now result in average fines of €38m. Even when there has been a significantly smaller breach, poor communications – from informing media and customers in the wrong order and using unsuitable formats of direct interaction with affected customers to inadequate apology and compensation measures – can damage the affected company’s reputation.
3. The risk from within.
With hackers and their armory at the gate, employees remain one of the biggest security threats. In roughly half of all cybersecurity incidents, careless or uninformed staff have contributed to the cyber-attack. Only every third German employee has received IT- or data security training. Low levels of internal awareness of cyber risks actively exposes companies to attackers. Together with IT and corporate security experts, internal communications needs to comprehensively educate employees on cyber threats and empower them to not fall for social engineering tricks, to choose and protect secure passwords and use their devices responsibly.
Preparation is the key to successfully mastering these challenges. And yet 77% of respondents to a 2019 IBM Security/Ponemon Institute study stated that they do not have a cyber security response plan in place. And even if organisations have developed such a plan, more than half do not test it regularly, despite the finding that companies who respond quickly and efficiently to contain a cyberattack within 30 days save over $1m.
Cyber security has to be prepared and handled with true team effort: Corporate security specialists, IT experts, legal representatives, communicators and other relevant functions need to address cyber risk education, crisis management and incident recovery together to make a company resilient. Cyber incident training sessions across these functions are key to bring cyber security response plans to life. Together, they should practice roles and responsibilities, define strategies for potential risk scenarios and, last but not least, find a common language between tech- and non-tech colleagues to enable them to effectively handle an attack.
Join us for our interactive live crisis simulations during Command Control 2020 to experience a new approach to cyber crisis preparedness and to test your crisis management skills.