We should all be in the mindset that it’s not if, but when, we are compromised.
We need to be prepared for that day. A cyber mission assurance approach means that you position your defences around your key assets, as these are the assets which are most critical to your organisation. For whatever reason, the Respond and Recover functions of the NIST Cyber Security Framework are two areas of low maturity for many organisations. However, it is vital to understand that when your organisation is attacked, your planning and response will be crucial.
Recent breaches have also shown that organisations need to focus on the intangible assets as well - namely the reputation of the organisation.
What is important to recognise immediately is that a data breach will instantly present risks to the organisation’s reputation. How that organisation responds to that breach, or maybe, how external stakeholders perceive the organisation as responding, is key.
What do we mean by reputation?
We couldn’t progress any further before introducing what we mean by reputation. In their book, Essentials of Corporate Communication, Cees van Riel and Charles Fombrun state that since the early 1980s, there have been several definitions proposed for we mean by reputation, particularly corporate reputation:
‘Reputations are overall assessments of organisations by their stakeholders. They are aggregate perceptions by stakeholders of an organisation’s ability to fulfil their expectations, whether these stakeholders are interested in buying the company’s products, working for the company, or investing in the company’s shares.’
Why does reputation matter?
If you’re reading this article and have some understanding of how a few organisations have managed the response to information breaches, you may have a good idea about why we should care about our reputation. Aon’s 2019 Global Risk Management Survey reported out of the key risks and challenges that organisations are currently facing ‘damage to reputation/brand’ was the second, whilst ‘cyber attack’ was the sixth.
Deloitte’s 2014 Global Survey on Reputation Risk reported that physical security and cyber security, which we know are intrinsically linked, was cited as one of the key drivers of reputational risk among the executives who were sampled. Although dated and backed up with the public consequences of several breaches in the past few years, I strongly believe that the response from executives in 2021 would be the same.
This risk, however, is not likely to be constrained to just short-term impacts. The Aon and Pentland Analytics report, Reputation Risk in the Cyber Age suggests that the impact on reputation can be longer term. The report does this by highlighting that a cyber attack has a significant impact on the share prices of companies, with some reporting a fall of 25% in their value even over a year after the cyber attack has occurred. This evidence provides an opportunity for influencing the board by not just demonstrating the reputational impact of a cyber attack but also the financial impacts.
A lot depends on perception
For those who work in cybersecurity, we know that the proactive management of our security posture relies on continually assessing the organisation’s risk profile, which informs the approach and management of their defences. This is true for all organisations, regardless of their size, location, industry, or turnover.
One area which perhaps isn’t always explicitly included is how that organisation will respond to a cyber attack. If handled badly, this could have very real, negative consequences for their reputation, with further second and third order effects. This demands that the organisation needs to have developed an appropriate response plan in the case of a cyber event. One of the most important factors affecting the organisation’s reputation is how it is perceived to be responding to the incident - creating perceptions of transparency and honesty are arguably key here.
The adage remains true: actions speak louder than words. Whatever the organisation communicates, it needs to be backed up strongly with meaningful action. What matters most is that action is taken to minimise the impact of a breach as much as feasibly possible. The organisation must fully communicate the steps it is taking to minimise the impact of the event to its stakeholders and, ultimately, to restore trust and confidence in the organisation. If it fails, then the organisation may never fully recover.
Learn from the past
A lesson for one is a lesson for all.
It’s important that we learn from the past. It’s also important that we understand and comply with our legal obligations, for example with the General Data Protection Regulation (GDPR). GDPR introduces an obligation for organisations to report data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. In the case of the UK under the Data Protection Act 2018, this report must be made to the Information Commissioner’s Office (ICO).
Let’s use TalkTalk as an historical example, although there are many other breaches that could be discussed - namely SolarWinds (see p41). The ICO has said that the cyber attack and the data breach that TalkTalk suffered in October 2015 could have been prevented if TalkTalk had taken basic steps to protect customers’ information. The implications for the company were wider reaching than just an impact on security.
Zlata Rodionova, writing in The Independent during October 2016, reported that TalkTalk’s profits more than halved in the year following the cyber attack, with pre-tax profits falling from £32m in the year before to £14m. Therefore, the assertion can be made that the cyber breach negatively affected the confidence of customers, who then likely changed their provider to one with a better reputation.
The data breach of Mumsnet in 2019 is a different story. The website prides itself on the privacy of its members, mainly because the topics discussed on the site can be of a particularly sensitive or personal nature. The website was alerted by several of its users that, when logging in, they could access someone else’s account - an issue that occurred when two users logged in at the same time.
Mumsnet arguably took the correct action in this situation: it alerted its users to the issue, rolled back software updates which had caused the problem, logged out all users from their accounts (forcing them to log back in and hence removing any illegitimate access to another account) and reported themselves to the ICO.
Although Mumsnet suffered an arguably smaller breach than that experienced by TalkTalk - and the fact that this was accidental rather than malicious - the different responses by the companies is noteworthy. Mumsnet was much more transparent in its approach and fast in the way it acted, which served to minimise any impact on its reputation.
How can we minimise the risk of a breach?
The first step to minimise the risk of a data breach is to understand the risks that the organisation faces. In typical fashion, the best place to start is with a risk assessment using a recognised standard or framework to understand areas of low maturity that require attention. It is crucial to understand the threats to the organisation, the organisation’s critical assets (which may be physical or information) and the vulnerability exposure of the organisation.
As always, it would be foolish to say that every attack can be prevented but it would be a failure of due diligence for the organisation to not put in place proportionate defences. As alluded to above, it is necessary for any organisation to not just conduct cyber risk management, or identify and mitigate risks, but to also conduct defensive cyber operations continuously. In other words, to continually monitor the network and respond to security events as they occur.
Security is everybody’s responsibility
Information security, cyber security, cyber resilience, or cyber mission assurance (whatever we are calling it today) should not just be a function of the security department. Security, as the saying goes, is everyone’s responsibility.
Cybersecurity processes should be embedded into business processes and explained in a manner that employees understand and comply with. Employees need to be incentivised and encouraged to follow security processes and they need to understand the benefit of doing so - or perhaps the consequences of not.
The most effective cyber defences will always be those which concentrate resources where they are needed. It is key that any organisation focuses on the human dimension as well as the technical. People are often described as the weakest link in security - but it doesn’t always have to be that way!
What is the takeaway?
The key takeaway is that every organisation must prepare for the worst. They must prepare for all eventualities and that includes a breach of their defences.
The organisation must have an effective communication plan and a strategy to deal with the after-effects of a cyber event, or, in other words, have a crisis management plan.
One of the greatest dangers of a cyber attack is damage to the reputation of the organisation. To preserve this, it is important to remember that actions speak louder than words.