Royal Mail, JD Sports, The Guardian, and WH Smith: the list of household names brought low by cyberattacks and data breaches is growing fast. The same is true below the waterline, where thousands of less familiar businesses find their systems inaccessible, their data stolen, and their reputations held to ransom.
But while UK Government data shows 39% of UK businesses identified a cyber-attack in the year to March 2022, only 54% of businesses over that period acted to identify cyber risks and less than one in five have a formal incident response plan. Can the remainder really afford the reputational damage that a cyber-attack can bring – let alone a hefty fine from the Information Commissioner’s Office (ICO)?
Perhaps some businesses feel reassured by the very fact that cyber-crime is so prevalent. Indeed, one consequence of the increase in high profile attacks and increasing public awareness is a broad consensus that no business, regardless of scale, can be completely watertight. It could happen to anyone, so being the victim of an attack doesn’t damage reputation like it once did. Right?
But there’s another side to that argument. With cyber-crime so common, there’s no hiding place for any business that has failed to prepare. And while an attack itself may not trash corporate reputation, poor communication with customers, staff and the media certainly can.
Take Optus, one of Australia’s leading telcos, which took a hit in 2022 as it failed to respond adequately to a data breach impacting as many as 10 million customers. Optus’ slow and vague response to the attack, where it was reluctant to apologise and attempted to (falsely) imply that the breach was not its fault, lacked empathy and contrition. This sparked widespread criticism from both customers – who felt let down, disrespected, and like they weren’t receiving accurate information from Optus – and front-line politicians eager to be seen as on the side of consumers.
So, what do your customers, clients and staff expect if your business does suffer a cyber breach?
Put simply, they want the victim to communicate quickly, openly, and plainly, to empathise with those whose data may have been stolen, and to set out clearly what people can do to protect themselves.
But these simple needs can’t be met without good planning. Businesses that respond well to a cyber-attack have invested in regular checks to security systems and are aware of their key legal obligations to clients and customers. Plans are in place, stakeholder lists are prepared, and scenarios have been thought through so that business leaders can act with a cool head in the heat of the moment.
Just as important, those responsible for the plan’s implementation have been adequately prepared to action it. Even the best plan is worth little if it gathers dust on a bookshelf and cannot be actioned effectively; a single weak link in the communications chain can lead to confused and inconsistent messaging. Regular training is crucial to any business that wants to be properly prepared for the worst.
No-one likes to pay for insurance that they never use or to prepare for a crisis that may never happen. But the statistics on cyber-crime are stark. One day soon it will be you, and it is hard to write a cyber response plan if you’re already locked out of your systems.