GDPR essentially forces companies to go public with any cyber attack they suffer, which poses further challenges when it comes to protecting their reputation. However, a quick and effective response to a cyber attack is impossible without thorough planning and forethought. Jonathan Hemus offers some points to consider...
The Global Data Protection Regulation (GDPR), which came into force in May this year, has fundamentally changed how organizations must respond to a cyber attack. The onus is on organizations to report any cyber attack to the authorities within 72 hours or face hefty fines.
GDPR essentially forces companies to go public with any cyber attack they suffer, which poses further challenges when it comes to protecting their reputation.
The short-term financial cost of a cyber attack can be significant but of equal concern is the damage it can do to an organization’s reputation and its stakeholders. For example, in November last year, the world’s largest shipping container line, AP Moller-Maersk, said the cost of the cyber-attack it suffered amounted to $300m, forcing it to cut its profit guidance and sending its share price down seven percent.
But for many organizations, cyber attacks can often tempt bosses to focus on the short-term financial impact at the expense of focusing on the longer-term reputational implications.
The reputational impact of a cyber attack
PWC’s Global CEO survey 2018 found that 40 percent of CEOs ranked cyber threats as their biggest concern, larger than technological change, uncertain economic growth and terrorism.
Dealing with cyber incidents is no longer the preserve of IT managers or even CIOs; it’s now identified as a board-level issue with the potential to cripple your organization.
Organizations are judged on their response to a crisis. If you are perceived to have responded inadequately to a cyber attack, particularly one that involves compromised personal data, the short-term costs will be substantial but so will the long-term consequences.
If the crisis is mis-managed, your customers, investors, and the public will lose trust in your organization.
As we saw with Facebook’s recent scandal over the misuse of user data, there is a huge amount of trust that the public places in the hands of data-capturing organizations. In the aftermath, Facebook’s stock dropped £25 billion and a campaign to ‘delete Facebook’, instigated by high-profile users of the platform, went viral. Consequently, Facebook’s reputation is far different now than what it was a year ago.
Planning and preparing for cyber scenarios
To be prepared for a cyber attack, organizations need to understand their areas of vulnerability and the potential impact on the business. Once your risk landscape is clear, you can scenario plan against different types of cyber incidents, working out how you would respond, criteria for decision-making and the likely resource you would need.
The next step is to turn your risk assessment and scenario planning into a set of response processes and protocols. A quick and effective response to a cyber attack is impossible without thorough planning and forethought.
Once you have a plan in place to deal with cyber incidents you must ensure that your people are briefed, trained and rehearsed on what they should do in the event of an issue. The Cyber Security Breaches Survey 2018, published by the UK Government, found that while most organizations see cyber security as a high priority, only 20 percent of staff members had any formal training to deal with a cyber attack.
Training should extend way beyond your IT specialists. From your lawyers to your call centre staff and social media teams, you must ensure that everyone who might play a role in your response has the knowledge and skills they need.
One of the best ways of rehearsing your cyber response plan and people is through simulated exercises based on realistic cyber scenarios. This gives people the confidence and capabilities to do and say the right thing in the event of a live cyber attack.
How to respond to a cyber-attack, post-GDPR
As with any crisis, the response time and immediate actions taken are critical to the fate of an organization.
In a post-GDPR world, there is an obligation to act quickly or face punitive fines. Consequently, GDPR could act as a positive catalyst for organizations to ensure their plans and teams are ready to activate quickly should the worst occur.
In terms of the response to a cyber incident, here are a few steps you should take when managing the situation:
- Activate your team – speed is of the essence; convene your team as soon as you become aware that you may have an issue;
- Deploy your plan – uncertainty and high stakes can cause even experienced executives to make poor decisions under pressure; use your plan to guide you through these critical early stages of an incident;
- Act quickly – investigate and address the situation and pro-actively communicate to affected stakeholders. Any attempt to hide the truth, or a failure to communicate, will likely damage reputation and business value. When news of a major data breach at Yahoo emerged in 2016 two years after the attack happened, it not only resulted in a $35 million fine, but also a $350 million reduction in the price Verizon paid to acquire the business.
- Provide regular updates & information – reassure stakeholders with updates and information via multiple sources, including your website, social media feeds, call centres, in-store or in-branch;
- Exceed expectations – ensure the steps you take to reduce the impact on affected stakeholders go above and beyond what is expected. For example, if you’ve suffered a data breach, provide customers with advice on how to protect their personal and financial information;
- Futureproofing – take steps to avoid another incident. You can be forgiven for an isolated event, but repeat offenders, such as TalkTalk, suffer the worst harm.
The ever growing list of organizations that have failed to respond effectively to a cyber incident and suffered damaging consequences is a warning to all businesses. No company can immunise itself from an attack. However, planning, training and rehearsal can enable you to respond quickly and effectively and emerge with your reputation intact.
Jonathan Hemus is managing director of crisis management specialists Insignia.