A Data Breach is a Breach of Trust
Concerns about cybercrime reached epic heights recently with news that the cybercriminal gang REvil has executed the largest ransom attack in history, claiming to have paralyzed one million systems across the United States, Germany, Canada, Australia, the U.K. and other regions. The group is demanding a $70 million ransom to provide a universal key that will unlock the systems of all those affected, though it’s unclear who would pay.
It’s no coincidence that ransomware is on the rise. While many companies have focused on simply staying afloat through the last 16 months of the COVID-19 pandemic, cybercrime has accelerated and is now reaching endemic proportions. Like the pandemic, cybercrime can be hard to detect and requires rigorous safety precautions. It targets the most vulnerable. It spreads easily across borders and morphs into new variants, each more dangerous than the last. Its effects can be devastating.
Cybercriminals are using the global COVID-19 distraction to prey on technical and human vulnerabilities. Remote workers are often not protected behind company firewalls and using less secure personal devices. Rushed e-commerce solutions mean more data collection and more risk. On the human side, stress and exhaustion have made people more vulnerable to clever phishing emails. Ransomware cases are skyrocketing, spurring debate over whether cyber insurance policies that pay ransoms are essential protection or encouraging the ransomware-as-a-service (RaaS) industry to flourish.
The Threat to Trust
When cybercrime leads to the theft of personal data, the organization that has been breached faces a loss of trust that is potentially much more devastating and longer-lasting than the immediate perils (service interruptions, IT and legal expenses, etc.).
Trust is based on a person’s evaluation of an organization’s or leader’s competence and effectiveness and whether they will “do the right thing.” A data breach is a trust failure on all three counts. Why? Because society expects organizations to take appropriate precautions and treat personal information for what it is: personal property, on loan and entrusted.
In a recent survey of over 300,000 respondents across 15 markets by Morning Consult, respondents were asked to rank actions that would make them lose trust in a brand. Respondents put a data breach that compromised their personal data at the top of the list — above a bad customer experience, lying about charitable giving, environmental harm and a host of other bad behaviour.
A Threat Beyond the Breach
But the trust hit caused by a breach is only the beginning. After a breach, an organization’s perceived competence, effectiveness, and integrity in responding become a second trust test. Here, many organizations fail again.
So how do you safeguard your organization’s trust from a cyberattack? At Proof Strategies, we recommend The Three Rs: Ready, Respond, Reassure.
A cybercrime attempt is no longer a question of if but when. The most obvious safeguards are those handled by your IT function (e.g., firewalls, safe user policies, etc.), but other planning is crucial. Appoint the response team in advance that will handle a breach. Document roles, responsibilities and contact information. Set up communications protocols, channels and messages. Determine your reporting obligations by breach type and jurisdiction. Speak to your insurance company about what is and isn’t covered by your current policy, as costs run high. Finally, scenario planning and simulations – ideally conducted by a third party – are essential to testing plans.
If a breach occurs, the first imperatives are containment and assessment. In a ransom situation, pre-determined technical, financial, and philosophical thresholds should inform decisions. Skillful and empathetic communication is crucial. Beyond mandatory reporting obligations, a good guiding principle is to treat others how you would expect to be treated if your own personal data were allowed to be stolen or became inaccessible. A little empathy goes a long way to restoring trust. Clarity and frequency of communications are important, as are media and social media monitoring to identify lingering questions or misinformation.
Once the breach is over, the job of trust restoration begins. This usually involves an undiluted apology. Stakeholders will expect a thorough investigation into how the breach occurred and deliberate steps to ensure mistakes are not repeated. Last year, we launched TrustLab to advise management and leaders on understanding, building, trust and restoring trust.
Meanwhile, as vaccination rates rise and the number of new COVID-19 cases fall, there’s hope on the horizon for a safer future. Unfortunately, the same cannot be said for data breaches. Until there is a vaccine for this growing risk, organizations must do all they can to safeguard trust, and that means being ready, responsive and reassuring.
We encourage you to be prepared and plan communications in advance. To discuss trust and data breach communications for your organization, please contact Josh Cobden at firstname.lastname@example.org.