This article was originally published on Finsbury.com
What matters most is not what happened but what companies do to protect you.
Insights from our November breakfast panel on cyber attacks and crisis communications which featured the Wall Street Journal’s Investment Banking Editor Anuj Gangahar, OakNorth Bank’s Data Protection Officer Jean-Michel Garcia-Alvarez and Finsbury’s digital and cyber specialist Meglena Petkova.
At Finsbury’s Cyber Breakfast audience members heard tips from experts about how cyber breaches are not only becoming more common but also more sophisticated. No matter how good their defences, companies across sectors and geographies must now have a cyber resilience and response plan in place. That means they must know who their audience is, what to say and how to reach them at speed.
1. It's not the 'what', it's the 'what's next'
Data incidents are not a ‘typical’ crisis, where the focus lies in what went wrong. Meglena Petkova, Finsbury’s Head of Digital, pointed out: “You may know your system has been breached but you don’t know who has launched the attack or what they are targeting specifically.” It is therefore unsurprising that the real concern is no longer how you were attacked but when it took place, at what scale and how you should respond. Even with a military-grade infrastructure, a company’s data can be compromised due to simple human error – and what will be remembered is how the company responded, not how they were breached in the first place.
2. It’s not enough to communicate, but also to connect
Jean-Michel Oak North Bank’s Data Protection Officer said: “The simple fact that [there’s been a breach] is of less concern when you know what the company is doing to protect you.” Communication should be focused on what is being done to fix the problem and how potential downside for those affected is being mitigated.
This requires structures to be in place to deliver these messages quickly. Jean-Michel explained that at Oak North Bank, they have tailored their response systems to the demographics of their depositors. For OakNorth that means social media is not their primary channel, rather letters and a call centre are the most effective means of deploying information quickly to their clients.
3. Preparation remains the name of the game
Many companies, however, aren’t always as prepared as they could be to respond. Meglena highlighted rapid digital response infrastructure such as dark sites, Google and social media ads are essential tools to proactively reassuring customers while reducing the risk of misinformation during times of high stress.
4. More speed, less haste
It is true though that pro-active communication is not always the best starting point. Companies who have not considered their circumstances can get into trouble unknowingly as Anuj noted from a recent major European bank breach. The bank only became aware of the breach when asked for comment by reporters. The scattershot response that followed from the communications team including panic, misunderstanding of the scope of the breach and an immediate but incorrect response claiming no client information had been stolen, made the problem worse.
Nevertheless, while the balancing act between gathering facts and the need to disseminate them is not always easy, extended delays can lead to inaccurate reporting and leave room for comments from third party experts, which can further expose the company. “For a journalist, not receiving a timely response from a company and seeking third-party input is par for the course, hence getting on the front foot as an institution is the answer”, Anuj said.
Even if protecting your customers’ data is engrained in the company’s’ DNA, a response to an active cyber crisis should be tailored to the situation, not an impersonal repeat of company policy, says Anuj. “If you say you have ’corporate values’ but not the infrastructure to enforce them, it’s pointless to stress them.”
In this fibre-fast digital information world with infosec (information security) architecture racing to keep up with cyberthreats, darknet markets showing no signs of closing and the never-ending drumbeat of 24/7 news on social media, corporates need to shift the focus beyond pure IT defence and ensure they have a reputational defence and response plan in place for cyber-attacks as well.