Reputation Security in the Age of Cyber Risk

Posted 18 July 2017.

​By Rewa Willis, Director, Sherson Willis and Comms Council PREScom Committee member.

​In February this year, the 20th annual PWC CEO Survey revealed that 91% of New Zealand’s CEOs are concerned about cyber-attacks, compared with only 61% globally. The C-suite’s growing concern over digital security reflects the views of cyber security experts, with New Zealand businesses among the world’s highest outsourcers of their IT network management and data storage.

The Directors’ Risk Survey conducted by Marsh showed New Zealand directors think cyber-attacks will be the biggest threat locally this year. These fears were confirmed with the unprecedented global reach of the Petya and WannaCry attacks. The high-profile ransomware attacks hit companies of all sizes in both the public and private sectors, sparking panic worldwide.

The financial impact of cyber security breaches tends to focus on the immediate cost of the attack: data has been compromised. Recent insights from Juniper predict that criminal data breaches will cost businesses US$8 trillion over the next five years. However, the real cost of a cyber-attack hits at the heart of an organisation – at something much more difficult to recover than data: your reputation. With the rise of the so-called ‘reputation economy’ reputation is now a capital asset.

As The Economist recently reported, it’s not a matter of if, but when. Ransomware made headlines last month, but it could be anything from data breaches to phishing scandals next. Cyber-attacks are constantly evolving, hard to explain and even harder to trace. The lack of an obvious culprit often means blame falls on the organisation victimised in the attack, for a perceived lack of security. Australia has introduced mandatory reporting of data breaches, leading to a rise in companies reviewing their cyber security practices.

The most crucial step in securing your reputation against the damaging effects of a cyber-attack is planning, but the recent New Zealand Institute of Directors’ survey found that 32% of respondents had no framework to manage cyber-attacks.

Your first step is to get match fit. A team can’t run onto the pitch and win the game if they’ve never played before.

Start with your staff. No organisation is immune to cyber-attacks. It is impossible to completely guarantee the safety of your data against an endlessly shape-shifting threat. Instead, the focus should be on identifying and managing risk. New cyber tools and technology are being deployed to mitigate ‘human risk,’ because cyber security isn’t just a tech issue, it’s a people issue. Making ‘cyber hygiene’ part of your organisational culture is now a priority for every Kiwi business.

Start communicating with your staff about their role as the first line of defence against cyber security issues. It ranks up there with Health and Safety, and staff should understand how to keep themselves and your organisation safe. Attacks will target ‘human end points’ – figures within the operation who have gaps in their awareness around cyber security and risk. The more aware your people are, the safer your business is. Teach staff to be your ‘human firewall’ – make communication about a security-conscious culture a priority and give everyone the right skills at the right levels to spot potential threats.

Having mission critical IT infrastructure management and data storage outsourced to third party providers can create additional complexity and add time to your crisis response if you’re hacked or your network is compromised. Choose a team of internal and external advisors before a crisis hits, so you can plan and practise with them. Make sure you have communications and cyber security experts who know and trust each other, so they’re speaking the same language when a breach occurs.

When an issue occurs, ‘gamify’ what’s happened and what could happen because of it – play out every scenario that could occur. This will enable you to give your board, management team, staff and customers the right information they need to help protect themselves and the organisation.

Transparency is key. Customers need to have confidence that you’ll tell them first if something’s gone wrong and give them the information they need to protect themselves, or mitigate the damage if data is taken. If your customer’s data has been compromised they need to know what’s been taken and what steps they can take to protect themselves. Reputation is all about trust.