Reports of new data breaches and cyberattacks appear in media headlines regularly. It was just a matter of time until a new “mega breach” would occur, and a new record was set in September 2016 by the technology company Yahoo.
Just over two months later, the company was back in the news with the discovery of another, earlier data breach. This time, over 1 billion accounts were reported to have been impacted since 2013. Details surrounding these data breaches are still sparse as the company continues its forensic investigation of what happened, how and when.
The timing of Yahoo’s data breaches is unfortunate – it was in the process of being acquired by telecommunications company Verizon. The details of this deal are still being questioned.
Yahoo’s limited communications response gave rise to widespread speculation and confusion about the nature and timing of the data breach, and the implication for Yahoo users across the world.
Questions continue to be asked by customers, shareholders, partners, regulators and politicians. Numerous lawsuits against Yahoo have been filed, and senators have called for further investigations and a senate hearing of company representatives. Many commentators have wondered whether Yahoo and its senior management have been negligent.
Challenges of handling cyber crises
This illustrates the challenges of handling a cyber crisis. Traditionally, an organisation’s risk register would include physical threats with a local impact. Nowadays, digital technologies have become the backbone of our economy. The greater threat is therefore digital, with immediate international reach and impact.
Cybersecurity incidents can have significant commercial impacts on an organisation including loss of customers, intellectual data and service disruptions, as well as an impact on business deals and mergers and acquisitions.
Organisations are accustomed to communicating once they have all the facts. In a cyber incident, this is rarely the case. Investigations can take weeks if not months. But the longer it takes for an organisation to draw a line under a crisis, the greater the financial impact and damage to reputation.
No organisation should assume that they can manage all cyber threats.
Firstly, threats are multifaceted. This is evidenced by the recent hacktivist attack against the World Anti-Doping Agency (WADA), the state-sponsored attack against Sony Entertainment, and the cyber-criminal attacks against US retailer Target, financial messaging service SWIFT, or the Swiss secure email provider ProtonMail. Each type of threat has its own implications and requires a different sort of response.
Secondly, they are recurring – Yahoo had experienced data breaches in the past – which will amplify the reputational damage and public anger every time a new breach becomes public.
Thirdly, the threat can never be eliminated. With all the best defences in the world, an organisation will come undone by one successful spearfishing email, a disgruntled employee, or a whistle-blower. This underscores the important role of people in cyber risks, not just the technology.
A board-level issue
At least 80% of companies in Europe have experienced at least one cybersecurity incident over the last year and the number of security incidents across all industries worldwide rose by 38% in 2015, compared to 2014. Therefore organisations can and should prepare the way in which they respond to and manage a cyber incident, both externally and internally.
To limit financial losses and damage to the brand, cyber security must be managed with the same seriousness as any other business risk. Organisation should ensure that there is board-level understanding of and support for cyber-crisis preparedness.
Organisational functions are often siloed, and cross-functional conversations seldom take place. It can be enlightening when decision-makers from IT, communications and legal sit together to talk through data breach scenarios, the challenges and implications for the organisation, and the likely communications response. While not everyone might agree, it is better to have such discussions before a crisis happens.
Communications policies and processes
Deciding when an organisation will communicate and how is key. The cyber regulatory landscape is still evolving, and organisations are often not required to disclose a data breach. However, it is becoming increasingly common for cyber incidents to be disclosed by third parties – either by hacktivist groups seeking to cause reputational damager, or cyber security firms that discover the data breach and decide to hold organisations to account. Having someone else take the lead on disclosing a cyber incident puts the organisation on the back foot.
Crises are inherently stressful and require rapid action to keep up with the 24/7 media cycle and questions from key stakeholders. Organisations should take the time to develop and implement crisis communications policies and processes, and to create a playbook to guide decision-making and communications responses.
The extent to which an organisation’s brand and reputation suffer following a data breach depends a lot on its reputation before the incident. Research has shown that companies with stronger reputations tend to recover from crises quicker. Building strong relationships and developing trust with key stakeholders is a worthwhile investment, as having supportive voices in a crisis is invaluable.
Traditionally, many organisations across sectors have plans for handling reputation-threatening crises. In the context of cyber, executives often see such risks as IT-related, rather than business critical.
While cyber threats are digital and embedded within the technology that we use and rely on, it still comes down to people. People cause cyberattacks and data breaches, people respond to them, and people manage the repercussions. Keeping this in mind will hopefully ensure that more organisations take the time to prepare their response to a cyber crisis.
About Toomas Kull
Toomas Kull joined CPC as a consultant in February 2016 with expertise in strategic communications, and reputation and crisis management.
He is experienced in supporting organisations on live issues which could impact their license to operate, as well as developing their crisis preparedness capabilities. He has advised companies across sectors including oil and gas, pharmaceuticals, and defence.
Toomas has a particular interest in cyber security and the reputational risks that cyber threats pose. He leads CPC’s cyber crisis communications service.
Prior to joining CPC, he worked in two London-based communications consultancies. He started his career in the public sector, working in the European Commission and the UK’s Ministry for Business. Toomas has a bachelor’s degree in Psychology from Royal Holloway University, and a master’s degree in Organisational Psychology from the London School of Economics.
Toomas is a native English speaker and fluent in French, Russian, and Estonian.
About Cabinet Privé de Conseils
Cabinet Privé de Conseils (CPC) is a Swiss independent boutique advisory firm, dedicated to giving first-class, discrete assistance to clients. Founded in 2004 in Geneva, it is the leading agency in the region and among the top 10 national agencies of the Swiss PR Agencies Association (www.BPRA.ch).
We are experts in the domains of strategic communications, public affairs and business intelligence and have extensive expertise in helping businesses, non-profit associations and international institutions.
We have a proven track record in cyber preparedness and crisis management, stakeholder communication, and regulatory affairs.
CPC has strong relationship with media, economic and political stakeholders in the Lake Geneva region and at a national level. We can also provide communications and media management support at the European and Global levels through the Public Relations Global Network (PRGN).