Skip to main content

Cybersecurity: the risk is often inside

In the past century I spent twenty years as a communications executive in two Fortune 50 tech companies. I remember the early days discussions on trojan horses and technical issues that could potentially lead to a cyber crisis. The focus was mainly on technical matters. Today the risk is often inside arriving from human error and poor judgement. This is why cyber security is a C-suite issue and crisis communications must be an essential part of the planning. Cybersecurity is far too important an issue to be handled solely by the IT department.

Cyberattacks are a constant threat that looms over every business. It’s a crisis waiting to happen at any given moment. In today’s interconnected world, it’s not a matter of if, but when.

At Leidar, we have honed our expertise in providing crucial advice and support during numerous cyber crises, leaving our clients stronger and more resilient. Just in 2023, our team worked on more than 85 active cyber matters. Later in this article, I will lay out the essential elements for constructing an effective crisis communication plan in the event of a cybersecurity issue, highlighting key steps that must not be overlooked.

Cybercrime skyrocketing

The World Economic Forum’s 2023 Global Risks Report ranks cybersecurity as one of the top 10 risks facing the world today and in the future. Experts predict that the cost of cybercrime will skyrocket to $10.5 trillion annually by 2025, according to a report by Cybersecurity Ventures.

A cyberattack not only disrupts a company’s technological infrastructures, but also instigates a crisis that jeopardizes its reputation, brand value, financial stability, compliance, and overall business operations. The ramifications of such a crisis extend beyond the internal workings of the company to the sentiments of stakeholders and public perception.

Repeated headaches at Sony

The realm of cyberattacks has witnessed some notable events in recent times. In September 2023, multinational technology giant Sony was rocked by a devastating cyber-attack, leaving nearly 7000 employees’ personal information exposed to the public. And this was not the first time the group had fallen victim to such a malicious attack. In November 2014, a hacker believed to be working for the North Korean government leaked confidential data from Sony Pictures Entertainment, including employee records and financial information, as well as unreleased films. The motive behind this attack was believed to be retaliation for a satirical film that depicted the assassination of North Korea’s leader Kim Jong Un.

The 2014 Sony hack garnered global attention due to its impact on a major corporation, both in terms of data theft and physical damage to their infrastructure. This incident echoed another major cyberattack in April 2011 when Sony’s PlayStation Network was hacked and personal information of 77 million users was exposed, resulting in a shutdown of their servers for 23 days.

In another instance of a large-scale attack on a global scale, renowned software developer Adobe confirmed in 2013 that around 38 million accounts were compromised by hackers who gained access to parts of their Photoshop source code. Following news of the breach, Adobe faced a multi-state lawsuit resulting in over $1 million in fines and significant damage to their reputation.

353 million impacted in 2023

According to the latest annual report from the Identity Theft Resource Center, 2023 saw a surge of 72% in data breaches, with 2,365 cyberattacks affecting 353 million victims. This surpassed the previous record set in 2021. Among these attacks, one of the most significant was the MOVEit breach where hackers infiltrated the file transfer software’s servers and compromised data of more than 600 organizations worldwide, including government agencies and well-known businesses like British Airways, the BBC, and Boots. The extent of this breach is still being determined but has already impacted over 60 million individuals.

In light of this, it is crucial for companies to establish effective crisis communication strategies to mitigate the damaging effects of a cyber-attack. However, it must be noted that there is no one-size-fits-all solution when it comes to crisis management. With the constantly evolving landscape of digital security threats, businesses must tailor their crisis plans to suit their unique needs, while also taking into consideration their stakeholders and operating environment. Companies must have a proactive comprehensive plan to effectively handle all potential cyber incidents.

Take some simple steps to be ready

How can one prevent such crises before they strike and effectively communicate during times of turmoil? The complexities involved in communicating with multiple stakeholders – including the public, shareholders, investors, and the media – cannot be underestimated in the face of a cyber incident.

1) Build awareness and create a culture

While larger and well-known businesses often make headlines for cyberattacks, small and medium businesses, as well as individuals, face similar threats every day by organised cyber criminals. Phishing for instance, is becoming more and more sophisticated, and it is easier to target smaller businesses. The 2023 Data Breach Investigations Report by Verizon states that email remains the most common method for delivering malware, with approximately 35% of cases involving malicious emails. This is something I witness frequently at Leidar. Here’s a recent example targeting one of my colleagues:

Hey Andreas,
Hope you are good? Are you available for a short conversation via email as I’m in a webinar right now and calls are restricted here? Or drop me your WhatsApp number . I have a major concern I will like you to handle in a timely manner.

Regards, Rolf Olsen, ceo at Leidar

A common tactic used by cybercriminals is to impersonate the CEO or CFO and ask for something to be fixed urgently. We also see many clever instances of criminals impersonating us to clients, often following up on invoicing. As these types of attacks continue to evolve, it is crucial to educate and raise awareness throughout the organization on how to stay vigilant against these threats.

Recommended actions:
  • Regular messages with concrete examples of real attacks in e-mails from top management to all employees.
  • Cyber security awareness training for all employees.
  • Feature cyber security issues in company meetings and communication regularly.

2) Proactive planning and accountability

The key to mitigating cyberattacks lies in proactive planning, rather than reactive responses. Such foresight enables businesses to swiftly recover from these breaches, minimizing the impact on their reputation and brand image.

Recommended actions:
  • CEOs and board members must take control and lead the charge in establishing a crisis communications committee.
  • This team should be comprised of all stakeholders who play a crucial role in mitigating an attack’s damage.
  • Each member must have defined responsibilities and be ready to spring into action at a moment’s notice.
  • Ensure that your entire staff knows your company’s media and social media policies. Members of the media or public may reach out to your team for comment via their personal social platforms.

3) Assessing risk and attack scenarios

In 2023, the average cost of data breaches soared to a staggering $4.5 million, an all-time high according to IBM’s latest annual report. This marks a 15% increase over the past three years. The report also emphasizes the importance of early detection and swift response in mitigating the impact of breaches. However, despite these findings, half of the affected organizations are hesitant to invest more in their security measures. It is crucial for companies to meticulously plan and prepare for potential attack scenarios with malicious intent. From crippling ransomware attacks to insidious data breaches, no threat can be overlooked. Subsequently, appropriate measures should be taken to mitigate damage, through the implementation of innovative technology or internal protocols.

Investment in risk assessments and comprehensive readiness can be quite modest compared to the cost of an incident.

Recommended actions:
  • Consider your entire value chain and where there are serious risks for data breaches or cyber security attacks.
  • Prioritise all risks according to likelihood and severity.
  • Develop detailed processes for how to respond using RACI – who are responsible, accountable, consulted and informed during every step of the response.
  • Perform exercises and training, at least annually.
  • Review new cases and innovations in the areas of cyber security, and imagine if they can hit you and how you would be able to respond.
  • Ensure that every level of the organisation is ready, not only HQ.

4) Preparing Pre-Written Playbook

When a cyberattack strikes, you will not have time to think or plan. Have a range of pre-written statements and talking points ready for various potential scenarios, covering employee and customer information, press releases etc. Do not wait until it is too late – use this calm period to strategically prepare and take professional precautions. In a crisis, things will escalate quickly, and the pressure will be overwhelming. Keep in mind that while statements may need to be adjusted, prompt communication with customers and stakeholders is critical in any cyberattack situation. Also, these prepositioned assets must be thoroughly vetted by an experienced communications and legal team so prevent future litigation or the unnecessary walking back of inaccurate information.

Timing is crucial – too late and the damage may be irreversible. Such was the case for Australia’s telecommunications giant Optus when they suffered a data breach in 2022, impacting up to 10 million customers – a third of the country’s population. Initially portraying themselves as victims of a sophisticated cyberattack, doubts were quickly raised about this characterisation as reports from insiders suggested an internal error was to blame. The Australian government too held Optus accountable for their negligence in leaving “the window open for a cybercriminal to criminal to conduct a simple hack.” Experts in public relations were critical of Optus’ response, citing its lack of effectiveness and self-serving nature instead of addressing the needs of their customers.

To avoid such damaging situations, it is imperative to assemble a dedicated team and communicate with urgency, leaving no room for the harmful speculations of the rumor-mill. Act swiftly and directly, reaching out to those affected before anyone else. Your official statement must be released on all platforms, including the media, but first, address those impacted personally. The company must take ownership of the situation before it spirals out of control. Establish a strict protocol for disseminating information- designate an “on call” communications lead. And remember: more updates will follow.

Recommended actions:
  • Define key messages and facts for every major risk.
  • Ensure that leadership is knowledgeable and able to speak to all potential issues.
  • Media train and test readiness on a regular basis.

5) Manage social media and digital channels

To effectively handle a cyber security breach, it is imperative that a transparent and comprehensive social media policy is established in the workplace. This entails aligning media statements and social posts, requiring coordination between PR and digital teams. It is essential for all employees to understand what is appropriate to share on both company and personal accounts. During a crisis, proactive measures must be taken, such as removing scheduled posts and having a plan of action prepared for potential inquiries.

Furthermore, to effectively handle negative sentiment, it is recommended to prominently display the official statement on all social media profiles and equip the social team with relevant information to swiftly address questions or criticism. This requires a clear message for response, a designated point of contact for specific queries, and a flow chart outlining how to escalate certain issues.

Recommended actions:
  • Ensure you have a plan to activate all digital channels.
  • Keep a repository of who control all digital channels.
  • Have sites and information ready to go live in the event of the most likely incidents happening.

6) Seek external expertise

In the chaotic aftermath of a cyberattack, numerous organizations find themselves desperately scrambling to create and implement crisis-communication plans. However, in-house resources are often stretched thin, unable to keep up with the ever-evolving landscape of potential cyberattack scenarios. In these dire situations, turning to external partners with proven expertise in crisis communication services is not just a logical choice, but a necessary one for survival – before, during and after an attack that could spell devastation for any unprepared organization.

Recommended actions:
  • Select your partners in “peace time” and have them ready to go to war with you.
  • Make sure you have all necessary contact numbers and know who to call in the event of an incident.
  • Ensure that readiness is a priority and have dedicated resources ready to serve – this is best achieved with the right partner.

 
Rolf Olsen

CEO, based in Geneva

Rolf Olsen launched Leidar in 2010 and continues to lead the company as CEO.  He advises clients on strategy and narrative development; crisis management; and complex reputational issues on a global scale.

Bio
Article tags:
Should you have any queries contact us
Provide full number starting with your country code in front of.
Format: https://yourwebsite.com