You cannot but heed the warning. We are hearing from every direction that cyber risks and their impacts continue to increase by the day.
Cybersecurity is about protection, preparation, mitigation and response. Technical defences alone are not enough. And waiting for the crisis to make preparation a priority, is not good enough.
Warning sounds aplenty
The government warning is clear. Heightened alerts from governments and regulations coming into place to increase data protection standards through the General Data Protection Regulation (GDPR) and critical infrastructure protection through the Networks Information Systems (NIS Directive) mean we are soon entering a period of increased oversight.
Investor reactions are clear. They punish stocks for not responding well to a cyber incident. We have seen company share price falls of over 30% following a significant breach.
Customers demonstrate their loss of trust by walking away. Companies have increasingly reported more specifically the impact of a cyber incident and how many customers they have lost as a direct result, one of which was almost 100,000.
Employees hold their companies accountable for having the appropriate defence measures in place. A company in the UK was recently found liable in the country’s first data leak class action lawsuit, brought by a group of their employees for a data breach following the loss of sensitive personal information of nearly 100,000 staff.
The best approach to resilience is preparation.
What good preparation looks like
Often the response to an incident has more of an impact than the incident itself, and the response is shaped by the company’s readiness. If you are not prepared with an executive level management awareness of vulnerabilities, impacts and your abilities to ringfence or minimise impacts quickly, through the right people and communications, the value of technical defences is lost.
Cybersecurity reputational resilience should include:
- Enterprise risk assessment. Understand where and why your company is most at risk and what that would mean to your operations and corporate reputation. Map out the most probable and potentially damaging attacks and their impacts on the business, your partners, employees and customers.
- Response readiness. Plan for who needs to know when an incident occurs and their responsibility to work toward business continuity. Executive teams should be focused on responding to the strategic and reputational implications, while the crisis response team should focus on business continuity. You should think now about what you want to say when it happens and understand which questions will be hard to get answered quickly.
- Leadership preparation. Cyber incidents move quickly and the leadership team need to understand the critical decisions they face and consider the ramifications of those decisions. Everyone's job is on the line if the impact has significant and lasting impacts, but accountability starts at the top.
Anything but thorough preparation by a company is now not enough. There are too many warnings and examples to point to that illustrate how important a company’s cybersecurity awareness and preparation is to its corporate reputation.