Minimising reputational damage after a breach
Badly-handled communications can worsen the situation for an organisation that has fallen victim to a cyber attack.
That was the word from Marina Bidoli, partner and office head at communications advisory firm Brunswick South Africa, speaking at the ITWeb Security Summit 2019 on Wednesday.
She pointed out that in the event of an attack, organisations need to come up with a clear communications strategy to minimise reputational damage. This is critical because there has been a marked increase in cyber attacks, both locally and internationally, making such inevitable.
“Internationally, I need not touch on the massive Facebook (Cambridge Analytica and WhatsApp) breaches, as well as Uber and BA. Recently, a German online paper reported on an Amazon breach based on information derived from Alexa voice recordings from the victim’s living room, bedroom and even shower.”
South Africa has also recently witnessed attacks on critical public infrastructure and public service providers. Although attacks are on the rise, Bidoli said what’s often forgotten is the longer-term reputational impact of a poor response, as trust in the business, its leadership and the brand is eroded.
Other impacts include negative media and social media exposure, public outcry, litigation, shareholder activism, share price devaluation as well as additional regulatory oversight, she noted.
“The victims will quite rightly hold you (IT security and top leadership) responsible. It becomes a case of, ‘You should have seen this coming; you should have been better prepared; I trusted you with my information; why did you not protect me?’”
What can be learnt from Equifax
Giving an example of poorly-handled communications after an attack, Bidoli cited US credit rating agency Equifax, which suffered a massive data breach in 2017, exposing highly sensitive data of as many as 145 million people globally. This included social security numbers, drivers’ licences and some credit card details.
Equifax’ share dropped 13% in early trading the day after the breach was made public and numerous lawsuits have been filed against it as a result of the breach.
“Always put the customer first,” advised Bidoli. “Remember that the public blames the company first and foremost for not looking after their data.”
Brunswick recently conducted research with informed audiences in the UK and SA, which confirmed this. More than half of South African respondents blamed the company for a breach, followed by government and then the cyber attacker. In the UK, they also blamed the organisation first – the difference there was that they blamed the attacker ahead of government. “So while the company itself may be the victim of an attack, the public is not forgiving. Don’t expect sympathy from your customers,” said Bidoli
Commenting on lessons learnt from the Equifax breach, she said that mistakes included a poorly drafted media release that raised additional questions about the timing, disclosure and details of the breach. There were other errors, ranging from poor functionality of the microsite, a CEO video with tone and language that did not reflect the gravity of the situation, and call centres that could not cope with the influx of queries. Equifax was also widely criticized for its sign-up process for a free identity protection service. This was complex and users were required to forfeit their right to join a class action lawsuit to sign up. Then there were other unexpected curve balls. It transpired that three Equifax executives sold almost $1.8 million of their personal holdings of company shares days after Equifax discovered the breach, but more than a month before the breach was made public. One of the executives pleaded guilty to a federal insider trading charge.
Companies should learn from such case studies, said Bidoli, who pointed out that very often, massive breaches have a significant personal cost for those in the C-suite. CEOs, CISOs, CFOs, Chief Legal Counsel and even board directors have ended up losing their jobs. Cyber security is not something that can be delegated to lower levels of the organisation. It’s for this reason that Bidoli urged organisations to take a holistic approach.
“Prepare for the hack – create cyber playbooks and toolkits, do simulations and media coaching for your spokespeople. Once you are hit, don’t panic. You have prepared. Bring in the experts to help you respond effectively. Have a statement on your website and annual report. Show that you have thought about cyber risk. This will help build trust with your most important stakeholders early on.
“Organisations must plan and manage reputational impacts through engaging the media, customers, employees, investors and partners.”