Cybersecurity is a business problem and communications is key to the solution
While cybersecurity has long been viewed as the purview of a company’s IT/security department, the recent spate of high-profile hacks has spurred a rethink on that approach. In the past week, we learned that Yahoo is under investigation by the US Securities and Exchange Commission over the fact that the company did not disclose details regarding two significant data breaches to investors prior to selling its core assets to Verizon. The incidents took place in 2014 – the sale in 2016. Speculation is now rife that Verizon may try to renegotiate the final sale price as a result.
Clearly, the consequences of a poorly-thought out and executed response to a cyber breach are real, and costly, not just on a company’s bottom line but to their perception as a trustworthy brand. With that in mind, communications is playing a more pivotal role than ever in how companies plan and respond both internally and externally to a cyber breach.
In this blog, I want to talk about why all companies must view the issue of cybersecurity as a holistic business issue – not just a IT/security issue – and leverage internal expertise across multiple areas (IT, security, communications and legal) to create a coordinated plan of response in the event a breach occurs.
We can all imagine a scenario where a hacker has breached our company security perimeter. The first reaction is to contain the breach – this is where IT and security step into the picture. But it is what happens next that so many companies get so wrong. Bruised by the experience, many retreat behind closed walls and hope for the best – ‘the breach wasn’t too invasive’, ‘personal information hopefully remains secure’, ‘it is unlikely to happen again’, and ‘no one will find out.’
This is where the right communications strategy is key – non-disclosure in most cases is not an option. It is imperative to have a clear, concise and comprehensive disclosure plan in place – both for internal and external audiences, and for as many eventualities as can realistically be planned for. This ensures all effected parties are informed, the message is consistent and the reputational fall-out when that disclosure hits press and social channels is contained.
It also plays a vital role in reassuring audiences – from shareholders and employees to customers that as a company you have the matter in hand and are in control.
But the solution to managing cyberattacks doesn’t stop just at IT/security and communications. Cyber incidents of all kinds – especially those that potentially compromise personal information – have legal implications. Companies run the risk of class action law suits, individual suits and even possible regulatory action. As growing companies seek to build out their leadership teams, hiring lawyers with a thorough understanding of cyber risk issues is vital.
The challenging part for many companies is bringing these vested parties together to coordinate a response. All too often these teams operate in silos. This is where prevention is better than cure.
Don’t wait for a breach to happen to build a response plan – every company of every size should have a plan in place in the event a cyber breach occurs.
Work across all stakeholders to determine the ‘cost’ of a cyberattack to your business – from a technology perspective, a legal perspective, a brand perspective. The business impact of such an attack makes for sobering reading.
This plan should be the combined work of all the stakeholders in question – lawyers tend to favor minimal disclosure of details to prevent liability; communications sometimes recommends the opposite, mindful of the fact that information vacuums leave space for inaccurate narratives to take hold. It is imperative all parties work together to determine a coordinated response in the event a breach occurs, balancing the needs of the business, communications and any potential legal liability.
IT and security teams should not have to provide a step-by-step guide to security technology and cyber risk – vested teams across the company should already have a solid understanding of these, and if they don’t they need to start learning.
Many people like to create resolutions for the New Year. My recommendation to companies of all sizes is to resolve to reconsider cybersecurity as a business-critical issue first and foremost. Prioritize, plan and devise a coordinated response to a potential cyber incident. Assess the potential fallout across all divisions and build a team that puts communications at its center to create a synchronized plan of action. It will prove to be one of your most invaluable resolutions.