Reputation Management in the Age of Cyberattacks

Note: For any brand developing a reputation management or crisis communications plan today, leaving out cyber risk is a major oversight. Cybersecurity expert David Lukić shares tips on how to prepare for and manage a cyberattack.

Cyberattacks are feared by just about every organization, regardless of size. They can have financial, legal, and technical implications for any organization that experiences a breach. Perhaps the biggest risk is that cyberattacks can erode trust in your business.

Every single day, there’s a business that’s hit by a cyberattack. According to the Cisco Annual Cybersecurity Report, the total number of cyberattacks increased almost four times between January 2016 and October 2017.

Since then, cybercrime has increased every year as more cybercriminals try to benefit from vulnerable business systems.

It’s extremely important to protect your business from cyberattacks. This will ensure all categories of data are protected from theft and damage. In addition, it will prevent reputational damage to your business, thus ensuring trust and confidence from customers.

What Is Cyber Risk?

In this day and age, more and more companies migrate their infrastructure to cloud-based systems. Cybercriminals have taken advantage of this, and thus the threat of cyberattacks has increased. Cyber risk can be defined in several ways.

The simplest and most precise definition is the following: cyber risk is any risk of financial loss, disruption, or damage to an organization's reputation from a failure in its technology systems.

Poorly managed or governed cyber risks can leave your business open to cyberattacks. The consequences of this range from data disruption to economic fallout.

Cyber Risk Governance

Cyber risk governance squarely focuses on the top of the organizational structure. It seeks to understand whether there’s a proper approach to triangulating the risk of cyber threats.

By definition, cyber risk governance is a framework adopted within an organization to deal with new and evolving risks in cyberspace. This is both within the organization and as the organization interacts with the outside world.

In this framework, the important actors are the board, the executive team, and top frontline management in charge of executing cyber risk management.

If your business doesn't have the right overall cyber risk governance program in place, the potential risk to your reputation may be costly, difficult, and lengthy to repair.

Cyber Communications Plan

Business-related cyberattacks are inevitable. It isn’t a matter of if, but when your business will face a cyberattack. So it’s necessary to have a pragmatic and tailored approach to communicating with all stakeholders should a breach happen. This is what is referred to as a cyber communications plan.

Most organizations increasingly prepare for the financial, legal, and technical implications of a breach. Many of them continue to overlook developing a communications strategy, which is critical in the early stages of a cyberattack incident.

When a cyberattack hits a business, the first reaction is usually panic. But when people panic without a real plan of action, valuable time is wasted. Cybersecurity breaches can be a pivotal public relations issue where stakeholders are not notified.

A strategic communications plan has to be integrated into your cybersecurity efforts. This will ensure the long-term protection of your organization’s reputation.

If you haven’t developed a cyber communications plan, it's better to be proactive and develop it now. You are then prepared for attacks when they happen.

Your plan should include when the business should share messages, the context of the messages, the recipients of the messages, and how the messages will be sent. This will ensure your customers retain their trust in your business.

Why Reputation Risk Management Matters

Building a reputation can take years. Tarnishing a reputation, however, is quite easy, and it just takes one security breach. It is strategically important for companies to demonstrate transparency to build public trust.

Now, more than ever, customers are aware of the risk of cyber threats and the potential risks to their personal data. They are also more aware of what protection companies owe them.

Business Reputation Management in Action

It’s possible to protect your business reputation from risks. In this section, we look at what businesses can do before, during, and after an attack to formulate a game plan to manage their reputation.

Before an attack

• Identify and secure your company's sensitive data, such as intellectual property and your customers' personally identifiable information.
• Educate your employees on basic data security measures, social engineering methods, and how to identify potential breaches.
• Put together a team of incident responders. Make sure to provide them with the tools they'll need and train them on how to use these tools.
• Create a set of actions that your business will take to quickly and effectively address a security incident.
• Establish an alert and follow-through process to maintain a communication channel.
• Involve key departments such as marketing and legal in coming up with what to say to customers.

 During an attack

• Keep all stakeholders updated on any new developments and steps your business has taken to remedy the severity of the situation.
• If your company has a blog or page where you can post company news, draft an account of the events from beginning to end and what your plan is or will be after the breach. Be transparent.
• Identify and document the following information. It will be useful when it’s time to notify clients and the public about the breach:
  • Compromised systems, assets, and networks.
  • Any data in affected machines that has been disclosed, taken, elected, or corrupted.
  • How the breach happened.

After an attack

• Notify your clients and other entities affected by the breach.
• Prepare to receive and answer questions from anyone interested in learning more about what happened.
• Rejuvenate stakeholders' confidence and trust by focusing on breach preparedness, containment, and mitigation strategies. This will be proof of your company's commitment to its clients.
• Review the information your company collects and stores to identify data you don't need. The fewer customer data you keep, the less data that’s at risk.

How to Mitigate Reputational Risk

1. Identify potential risks through the customer lens. Always consider your customer’s perspective when identifying the reputational impact of potential breaches. Why do customers trust your company? What would they consider an unforgivable breach of this trust? Before a crisis, your management teams should think through potential issues. This will ensure future risks are identified before they happen.
2. Prioritize reputational risk as a business strategy. It’s hard for IT leaders to determine the appropriate places to spend their limited budget. A reputational risk management strategy is important for your business. Implementing a strategic plan that anticipates reputational impacts rather than just being reactive to a damaging event will serve your business best.
3. Encourage departmental cooperation. One of the biggest problems in a business is the inability to share important knowledge across various departments. Organizational silos are barriers to change and communication. They make it hard to collaborate when critical problems arise. Encouraging collaboration will improve interdepartmental communication making it easier to identify and tackle threats.
4. Establish a risk governance structure. The executive team has an important role not only in supporting a strategy but in doing damage control. When formulating a crisis management strategy, your organization should collaboratively work to choose leaders across all business units. The most effective way to manage misinformation is to allocate individuals who are the only people authorized to serve as the company's voice in times of crisis.
5. Formalize and practice. After you formalize the essential aspects of your crisis plan - like how to mobilize a response, make decisions, and what information to communicate- it's time to practice. Rehearse a few critical reputational risks to see how they play out. Make sure all major players know their responsibilities in case of a reputation-damaging cybersecurity incident.

Business Resilience

A resilient business is one that can manage a cyberattack, mitigate its impacts, and recover quickly. Some of the key elements to building resilience in your business include:

• Gap analysis - Ensure you critically review existing protocols and responses.
• Cyber communications plan - Create a plan that includes an escalation process, definition of roles, and pre-approved messages.
• Simulations - Conduct periodic crisis simulations focused on cyber scenarios.
• Leadership training - Ensure the board is kept up to date and senior executives have their own coaching sessions.
• Spokesperson training - Effectively train the person who’ll be the public face.
• Relationship development - If there is a cyber incident, identify influencers and stakeholders and plan to engage.
• Trend monitoring - Follow how the media cover cyber incidents in your industry.
• Internal education- Share information with employees who’ll help mitigate the risk.

Businesses remain a prime target of cybercriminals and nation-states. Even though It's the new normal, it's still something that many organizations are choosing to deny. Sure, it's one thing to know how to recover from a cybersecurity incident. But knowing how to manage your company’s reputation before, during and after the fact gives you a competitive advantage.