Cyber Protection Requires the Art of Communication and the Science of Data Security
Greg Young, Trend Micro, and Karishma Singh, Proof Strategies
Do you remember when a tech problem was an IT department problem? Cyber risk has exploded that siloed approach, emerging as one of the most multidimensional risks facing organizations of all sizes globally. When Equifax exposed the personal information of 147 million customers in 2017, it cost the company an estimated USD 3 billion in legal fees, fines, remediation costs, and lost revenue. Six years later, the organization is still rebuilding its reputation and trust among consumers and regulators. While this is a posterchild for how bad it can get, almost all data breaches leave a trail of scorched balance sheets and reputations.
The Growing Peril
A recent study by Trend Micro found that Canada ranked 3rd globally among countries most affected by ransomware as a service (RaaS) and extortion attacks in the first and second quarters of 2023, just behind the U.S. and U.K. This is not a competition we as a nation want to win. Today, no organization can escape being targeted by hackers. Small- and medium-sized businesses, non-profits and charities and municipalities aren’t immune and are among the most vulnerable as they have the fewest resources to protect themselves and respond. In Canada, while the detection of ransomware files at large organizations decreased by almost 70% in the second quarter of 2023, we saw a 214% increase in detections among small businesses.
Business leaders who strive to be trust builders (and let’s face it, that should all of them) must face the reality that it’s no longer about if their organization will face a cyber threat, but rather when.
Cyber Risk = Business + Reputational Risk
When a company succumbs to a cyberattack, beyond the astronomical costs associated with business interruption, fines and penalties, increased insurance premiums, make-good expenses and consultant fees, the damage often includes the loss of the priceless trust of its stakeholders – from customers to employees to regulators to partners. What’s more, the combination of disclosure obligations, news media interest and social media networks means it’s now near impossible to keep a cyber breach under wraps.
A recent cyberattack in Ontario exposed the personal health data of approximately 3.4 million infants and people seeking pregnancy care. The costly disruption this caused was compounded by reputation damage in the extensive media coverage and a stern rebuke from Canada’s Ontario’s former information and privacy commissioner, who slammed both the breach itself and the organization’s poor communications afterwards. This two-pronged damage points to a need for both the art of communications and the science of data security.
The Imperatives for Business Leaders
As cybersecurity month draws to a close for another year, here are three steps business leaders should take to navigate this growing risk:
- Take a cross-functional approach: Cyber risk can potentially disrupt every business element. This means that in addition to IT, HR, legal, marketing, operations, finance and not least, communications need a seat at the planning table. Boards must also accept that cyber risk management is within their oversight and make it a priority.
- Create a culture of employee vigilance: The combination of multi-tasking by busy employees, clever phishing attacks and increasingly malicious file attachments has widened the risk exposure. Employees need regular training and testing to harden an organization’s cyber defences and, in some cases, change management experts to ensure effective communications.
- Prepare to communicate externally: Every business continuity plan should contemplate a cyberattack and be paired with a robust crisis communications plan. It’s often said that how an organization communicates in a crisis is even more important than the crisis itself. Effective communication can be the difference between a brief and forgiven event and a catastrophe that plays out over months and even years.
The sooner leaders accept and understand that cyber threats bring business continuity and reputational risk, the better they can avoid both.