Expert Q&A

According to the 2017 Insider Threat Report, 74 percent of organizations feel vulnerable to insider threats, yet less than half of them have the appropriate controls in place to prevent an insider attack.By controlling and managing access to data and systems, and by closely monitoring it, companies are hoping to gain early alerts to potential breaches. Careful monitoring may also assist in forensically mapping unauthorized access in the event of a major cyber attack.Some employers have also begun to rely on technical oversight of their employees’ behavior on company systems as well as social media platforms. These measures may include monitoring what an employee shares onlineabout his or her employer or job. It may also involve automated reviews of what is emailed to addresses outside of the organization, and what is printed, by whom and in what quantity. Some may view this type of oversight as a violation of employee privacy; others may argue that expectations of privacy can blur at the edges of many confidentiality requirements placed on employees.Regardless, employees need to understand what is expected of them. To earn loyalty and maintain open lines of communication, a company must be clear about employee responsibilities as well as what’s at stake.

For the company’s top management it is important to understand the implications of digital risk and to develop appropriate organisational and communication precautions. Once a data leak has been detected, the extent, duration and depth of the attack are far from clear. This ongoing uncertainty poses a great challenge for communications. In addition, unexpected developments or even media enquiries are to be expected, which will require a rapid evaluation and an appropriate reaction. To be able to (re-)act accordingly, a lean, coordinated and flexible crisis team is necessary, which coordinates with the top management. A consistent silence from the company would however mean long term reputation damage and scare off customers and other relevant stakeholders.

Anyone with data can be a targetConsider this scenario: a hack into the interconnected systems controlling major office buildings causes chaos by triggering fire sprinklers, creating sauna-like temperatures and manipulating critical equipment. “It’s not something that real estate investors really had to think about before, but it’s definitely on our radar screens now,” says Tom Murray, a Principal Partner at New Mill Capital, a real estate investment firm.No business that stores or transmits information is immune from cyber attack. Some sectors have so far avoided data breach headlines, but threats and risks continue to increase.Sectors with little history of attacks are often at greater risk. Recent reported hacks in the computer systems of cars, and even a jet’s in-flight entertainment system, shook the transportation sector. In 2016, hackers manipulated a US water treatment plant. A year earlier, a German steel mill reported massive damage after an attack disabled blast furnace controls. Surprising targets include small businesses and nonprofits.“Ask these questions,”Do we use computers? Do we use the internet? Do we create or handle data? If your answer to these questions is yes, then you are a viable target for the bad guys.

There are three things companies can do to better meet consumer expectations:Use a cross-functional team To create an integrated data narrative, you need to involve wide representation from across the company. Keep security front and center Your safeguards are a critical part of your message. And remember: when you say “privacy,” consumers hear “security.”Prepare When bad things happen in the cyber realm, companies have to assume they will be blamed. Prepare now, to reduce the potential reputational harm.

Regulatory repercussions. The General Data Protection Regulation took effect in May of 2018. We don’t know yet what fines for the worst offenders will be, but they could amount to 4 percent of global turnover. The regulator could also force companies to suspend business if they aren’t satisfied the proper steps to protect data have been taken.Loss of business. The June 2017 NotPetya attack aimed at the Ukraine caused material sales impacts for a number of global companies. They were simply collateral damage, the result of perhaps even just one user clicking on malicious links. Maersk has used the experience to warn others. They reported $265 million lost sales in a quarter following a 10-day period where the company was reduced to pen and paper while it reinstalled all of its IT systems.Share price impact. Breached companies see immediate share price impact and underperform the market in the long term. An analysis by Comparitech of 28 breaches showed that these companies underperformed the Nasdaq by 4.6 percent over the first 14 days and by 11.35 percent over two years.Lost productivity. Responding to cyber attacks weighs on your company’s performance. Production loss accounts for one-third of a company’s annualized costs due to cyber crime, the 2017 Accenture and Ponemon study found.Executives are collateral damage. Companies that have suffered major breaches, like Yahoo!, Equifax, Target and Uber, often see the resignations of either their CEO, CISO and/or General Counsel.Class action lawsuits. These are not limited to the US. We saw a firm threaten a group action suit against British Airways within days of the September 2018 data breach.

1. Align your response team. Swift coordination in a pressured situation requires a defined decision maker. The CEO needs to know when that decision-making power should sit with her and how the critical details to inform decisions will be shared. When facing a business unit incident that affects a global customer base and requires international regulatory alerts, that responsibility can get muddled.The smoother the public response, the shorter the public follow-up cycle and scrutiny. That only comes with practice.2. Consider the tough decisions. You want to be able to offer your customers something in response to a potentially protracted disruption. The first debate about exactly what that offer will be should not happen under the pressure of a tight deadline. As with any critical decision that could affect your long-term reputation with customers and employees, understand the likelihood of risks and weigh how you could respond.When would you advise customers of a potential risk? When should you inform the market, given that it may be some time before you have a complete picture? How often should you communicate during the disruption? How will disclosure affect different parts of the business? You have to be prepared to communicate clearly but cautiously and your first communication has to be accurate.How would issues in different regions drive decisions? Global companies must reconcile the different cultural and geopolitical pressures around the level of information expected in each market when hit with a cyber incident. Which of your markets will guide your response strategy? How would you respond to extortion? Does your executive team agree how you would respond to threats of extortion? Would you take a public stance around refusing to pay ransom, and is that more effective in your key markets?3. Get to grips with the potential consequences. With the right questions, you can understand where you are most at risk of a cyber incident. That should inform both how much you put toward mitigation of key risks and how you prepare to respond. If a phishing attack could grant access to sensitive IP critical to your business, extra defenses and training are required.Are those most sensitive systems the first ones your information security team would check at the notice of potential unauthorized access? Do you appreciate the level of complexity involved in understanding what could have been accessed? Where will you need to be prepared to offer compensation and how much?4. Increase your IT security literacy. There is a call to action for boards to increase their understanding of the cyber risks their companies face, and to do that they need to understand their current defenses. This extends to the preparedness of the members of your supply chain. In the case of a cyber incident, the brunt of the blame falls on the victim of the attack – not the perpetrator.

Cyber resilience is not just a matter of risk management. Robust preparation across your business should be value enhancing.An informed executive team will demand higher standards from everyone in the business. If it is a theme heard from the top, information security will be echoed across the business making it a message your customers and partners hear too. Employees want to be part of a solution and understand the role they play.Good management appeals to investors. Our survey shows a very positive response to senior executives detailing how they’ve dealt with ongoing cyber threats and strengthened defenses and preparation.Cyber attacks can disrupt business and carry long-term consequences. Hackers work full time to get into your system. Advance planning and company-wide cyber awareness can make their job considerably harder.

MYTH: Your computer network is safe if you have a strong enough security “fence”FACTThere is a “new normal.” Every fence has holes. Hackers will find a way into your system, so you need to plan for that eventuality by enhancing the internal protection of your most critical data. You should also think ahead about how you will explain a hacking episode publicly. What story do you want to be able to tell when – not if – your company has a breach?MYTH: All security incidents are created equalFACTHackers have different methods and objectives when accessing corporate systems. Like robbers rattling doorknobs to find an unlocked house, hackers test security systems all the time. Some merely probe networks, while others seek to steal, manipulate or destroy data. The information they target varies with the intent, from customer credit card data that they can steal to sensitive internal communications, research and development projects, or full customer profiles that can be used to expose or embarrass the parties involved.MYTH: The government will help with a breachFACTYou’re mostly on your own. In many countries, companies learn they had a security incident from a government agency, but often the assistance ends there. For major events where officials are interested in information about how a hack was executed, the government might offer investigative or forensic help from law enforcement and intelligence officials. But governments are sometimes wary – for legal or political reasons – of helping companies fix their computer systems or of retaliating against the believed perpetrator of a hack on behalf of a company or group of companies. Governments have their hands full protecting their own networks.MYTH: Computer systems security is just an information technology problemFACTPeople, not software, tend to be the weakest link in data protection. A study by computer security firm Trend Micro found that 91 percent of cyberinfiltrations began with “phishing,” where malicious links are embedded in emails sent to unsuspecting employees or customers. Recipients unknowingly grant the hacker access to their computers when they click on the link.MYTH: Communicating about a corporate breach must be reactiveFACTPlotting out a communications strategy in advance for different types of data security problems will help a company understand the risks and plan for them. It’s also worth thinking about what data the company has that could be damaging to it – or others – if released.MYTH: All hacking is a cyberattackFACTThere are many flavors of hacking, and the most common types are not attacks but network infiltrations to steal corporate secrets. Cyberattacks that manipulate or destroy data or computer systems are still relatively rare. However, these attacks have been on the rise, as seen recently with the breach at Sony Pictures that both destroyed data and exposed embarrassing company communications.MYTH: Breaches must first be handled by technical and legal experts and only later shared with other key people in a companyFACTGiven the reputational risk a breach generates, an organization’s communications team should be involved in early discussions about the event to provide guidance on how to ensure the company maintains the trust of the public. The team should also be well versed in cybersecurity basics before a hacking incident, so it can quickly get up to speed when one occurs.MYTH: With a breach, the biggest problems are security and legal issuesFACTThe greatest threat a breach poses is ultimately to corporate reputation. While the need to fix security problems and address legal issues is clear, companies may not realize that how they discuss the event publicly at the outset will often determine whether they can recover the confidence of the public – and investors – once it is over. Companies that change their story over time risk a more severe loss of that trust.