Mitigating cyber-attacks has become a 21st century cost of doing business but it is not enough for boards and management to just have a plan to deal with the financial impact. Serious consideration needs to be given to the reputational damage of such an event and how a company might deal with it through a crisis communication plan.
Mandatory data breach reporting was introduced in February 2018 and affects all businesses, both listed and private, with an annual turnover of $3 million. This regulatory attention highlighted the inherent vulnerability modern businesses have to the opaque world of cyber-attacks and the potential financial and reputational harm they can cause.
Planning for these crises and responding to them under the right communication protocols and through the right channels is required to minimise both reputational and financial damage. All stakeholders, both internal and external, require clear, concise and consistent information from the company.
IBM’s 2018 Cost of Data Breach study determined the average global cost of a data breach is US$3.86 million and rising rapidly. This figure is of course relative with the study finding that the average cost for each lost or stolen record containing sensitive or confidential information is US$148, which is also on the rise.
LandMark White’s recent data breach resulted in 37,500 valuation records and 1,680 supporting documents being uploaded to the internet. Whilst the reputational damage to the company is clear with the four major banks, Commonwealth, NAB, Westpac and ANZ initially suspending their use of the valuers, the full financial impact is still unclear. The company has been in trading halt since February 14th, has lost the CEO and two Non–executive directors, while business media and shareholders continue to ask probing questions.
The LandMark White case study is a good example of the impact a cyber security attack can have on a business. And every business is a potential target, no matter their type, size, or industry. The Verizon 2018 Data Breach Investigations Report identified that globally accommodation, education, finance, healthcare, information, manufacturing, professional services, public, and retail as top of the list of targets.
Cyber criminals are both hardworking and relentless. They use advanced social engineering techniques to target staff members and enhance the legitimacy of scam attempts. They are also known to research organisations and individuals on social media and through publicly available information such as annual reports, shareholder updates and media releases. It is worth considering that according to Sophos Group plc (the British security software and hardware company), one in ten people who are sent a phishing email will click on the link, I imagine you have more than ten people in your organisation.
The best approach a business can take is to use a multi-layered approach including technical controls, robust internal processes, and active monitoring of systems, networks, cyber security trends and threats. It is also important to ensure your employees are regularly educated about ongoing scams and empowered to apply common sense.
Equally important is for businesses to have an effective crisis communication plan in place. Can you say with confidence you could respond to an incident where customers’ or employees’ bank details were stolen? What about their home addresses and IDs? Or employment contracts? Businesses hold increasingly complex and personal information which can result in multiple scenarios playing out, such as IP being stolen by a foreign entity or customer data being held for ransom.
Cyber insurance is now a major consideration for company boards. Given the potential for shareholder lawsuits, cyber security must be elevated well beyond just an IT issue.