No longer a question of if a crisis will come…but when
Recent reporting from all over the world has shown that cybersecurity fears are reaching individuals and organisations. For both groups, reputational risk is at an all-time high.
Mark Forbes, author and former editor-in -chief of The Age in Melbourne, Australia told CIO Tech Asia, “it’s not a question of if crisis will come, but when.”
This could not be truer in relation to cyber risks:
• There has been a rapid spike in the number of coronavirus-related email attacks, up 667% since the end of February
• 8 out of 10 organisations have mobilised their crisis management teams at least once in the past two years, with cyber attacks being the most common cause (Deloittes)
• Despite the likelihood of a cyber crisis occurring (amongst other crises) less than one in four companies test their crisis plans annually – not to mention the companies that do not have a crisis plan at all.
According to Forbes, CIOs are an integral player in a business’ crisis management team.
“They need to work with the communications team – before a crisis occurs – and contribute to the crisis communications plan,” he said. “CIOs can provide value in assessing cyber risks for the business and ensuring there are technological processes in place to assist the response if a crisis were to occur.”
For example, if the network is compromised:
• What is Plan B to access the crisis communications document?
• How are passwords stored and protected?
• What databases are available for contacting stakeholders?
“Cyberattacks are a common cause of organisational crisis, a risk that has been turbo charged by the Coronavirus pandemic,” he said. “Individuals and business are adapting to remote working and digital communication, dramatically increasing businesses’ exposure to cyber threats.”
In his e-book Surviving Crisis , Forbes said disasters was the new normal, with large companies averaging a crisis a year over the past five years.
“Now, with half the world in Coronavirus lockdown, I expect few would disagree,” he said.
“A global survey by Deloitte of more than 500 crisis management executives found eight out of 10 organisations have mobilised their crisis management teams at least once in the past two years, with cyberattacks being the most common cause.”
Forbes said the sudden increase in remote working has amplified long-standing cybersecurity challenges such as unsecured data transmissions, external access to company systems, opportunity to obtain employees details and passwords and use of platforms such as Zoom which lack extensive security protocols.
“Cyber safety should be a key priority of any business’ Coronavirus response. Already the Australian Cyber Security Centre (ACSC) has issued a new advisory detailing how to reduce the risk of falling victim to cybercriminals,” he said.
The ACSC has received a stream of reports from individuals, businesses and government departments about a range of COVID-19 themed scams, online frauds and phishing campaigns.”
Forbes said while there were a number of ways to mitigate the cyber threat, such as insisting staff use strong passwords ideally with multi-factor authentication, or using a Virtual Private Network (VPN) to connect to a work network, the likelihood of experiencing a cyberattack is extremely high. It’s important to be prepared if one were to occur.”
“The principles of effective crisis communication apply no differently when communicating in the face of a cyber incident,” he said. “If anything, the speed of the business’ message is more critical, protecting one’s personal identity instils a strong emotional response.
Forbes said it was important for the user’s voice to be the first one a CIO and his team hears on the issue.
“If, or when, a cyberattack occurs, the key is for businesses to communicate promptly and empathetically,” he said. “Remember a technology incident almost always has human impact.”
• To mitigate risk Forbes recommends CIOs and their team:
Think about the people behind the technology – acknowledge the impact that the incident has had on your people, whether it’s customers, employees, donors, board members, investors or volunteers; people in a crisis want to know what it means for them, not what it means for the ICT networks. Put forward a personable spokesperson and avoid the use of technical jargon.
• Not leave an information vacuum for others to fill – a data breach is a sure way for stakeholders to lose trust in a brand. A way for businesses to start rebuilding trust is to become the source of accurate information on the issue. If you don’t have the facts, let people know how you are finding them.
• Use clear and consistent messaging – messages that are clear and compassionate will have the most cut-through when people are in a heightened state of stress. Also don’t be afraid to repeat yourself. It often takes numerous times for a message to resonate.
• Not set and forget – follow up on the promises you made to address the issue and the protocols you said you will put in place. Track progress moving forward and regularly report on the milestones achieved.