.jpg)
“Reputational damage from cyber security lapse is likely to be uninsurable, and could potentially be fatal.” – The Institute of Directors
Companies are walking a digital high wire. On one side, customers expect to reap the benefits of digital technology. Today it’s TV-on-demand and mobile banking; tomorrow it could be self-driving cars and homes powered by the Internet of Things. On the other side, customers and regulators demand that sensitive and personal data be secure. Failure can be massively expensive. Under new EU data protection regulations, companies can be fined up to 4% of global group-wide revenues for a breach. But the cost is not merely financial. The Institute of Directors (IoD), a UK business advocacy group, recently warned: “Reputational damage from cyber security lapse is likely to be uninsurable, and could potentially be fatal.”[1]
So how do smart companies prepare for the unknown and maintain the trust of their consumers?
1. Product delivery must never come second to consumer protection
Pulling back from digital technology is not a viable option for the vast majority of businesses. It’s not only consumers that have grown accustomed to the benefits – companies need data. Freshfields, the leading global law firm, found that 89% of companies believe data is critical to being competitive in their industry.[2]
Nevertheless, cyber-attacks and data breaches are an inescapable reality of doing business in a digital world. While the cost of data breaches can be difficult to quantify, research by the Ponemon Institute indicates the biggest impact is to the company’s reputation, brand value and image in the marketplace.[3]
As a result, more and more companies are recognising that cyber security needs to be addressed at the board level and strategic communications must play a critical role in preparing for, dealing with, and rebuilding trust after a data breach.
2. Develop a safety culture that extends beyond the physical
In manufacturing and engineering businesses, safety culture permeates all company practices from holding hand rails on stairs to regulations on protective body wear. Likewise, the human risk element of cyber security is an increasingly pressing issue for corporate leaders. Unless customers and staff understand how to be safe online, no amount of investment in hardware or military-grade software will save a business from a simple phishing attack designed by social engineering.
Instilling this culture begins with internal communications and consumer education, which are built into the sales model and reflect corporate strategy. Boards must recognise the importance of communications given the primacy of reputational damage and the critical role of ongoing stakeholder education in mitigating risk. Regularly communicating about how to keep data safe is an important way to strengthen relationships with customers and staff.
3. Write, rehearse and revamp your response plan
Fundamentally, cyber security must no longer be seen as an IT problem but rather as a business critical issue. IoD research shows an improving picture, with 57% of its members surveyed having a formal cyber security strategy in place and 49% providing cyber security education to staff. Worryingly, however, 43% said they didn’t know where their company’s data was stored.[4]
In addition to a company’s relationships with customers and staff, a fully defined crisis communications response strategy will make or break any recovery from attack. Directed by the board, the strategy should ensure the right processes and people are in place. These should be tested regularly via realistic simulations and updated in light of real-world scenarios. Given the potential scale of major cyber-attacks, companies should be ready to mobilise significant resources while keeping decision-making teams lean and effective.
As long as its crisis response infrastructure is established and tested regularly, a company will be better placed to deal with the most important question – when and what information to disclose should a breach occur. Currently, this is seen as a legal and regulatory question, but the answer is likely to be complicated by potentially intense media pressure, a falling share price, customer anger and imperfect information about a fluid situation. Any response must be proportionate, prioritising key stakeholders without creating undue concern. Proving the company has been fully compliant and has made its best efforts to protect customers is vital. Clear communication with regulators is prerequisite.
In the face of acute media interest, stricter regulation, higher penalties, and potentially unforgiving customers, companies are increasingly taking the digital high wire seriously before a crisis hits. With the right understanding, investment in systems and people, and a commitment to use communications effectively, star performers will continue to shine.
[1] Dealing with Data, Freshfields Bruckhaus Deringer Report, 2016
[2] 2014: A Year of Mega-Breaches, Ponemon Institute
[3] Cyber Security, Underpinning the digital economy, IoD Policy Report, 2016
[4] Cyber Security, Underpinning the digital economy, IoD Policy Report, 2016
By Theo Hildebrand, a Principal in Finsbury’s London office
---copy.jpg)
