The digital revolution has opened up a raft of opportunities for organisations and individuals. It has created megabrands such as Google and Facebook and a generation of new entrepreneurs but it has also exposed us to much greater reputational risks.
At our latest View from the Bridge event ‘The Internet – creator and destroyer of reputations’, we asked a panel of experts what steps could be taken to protect brands from the growing threat posed by cyber-attacks and if there was a likelihood that we could meet the Government’s objective of making the UK the safest place to do business online.
Jon Rigby, Director of Cyber at AlixPartners and a former Director for Cyber, Intelligence and Information Integration at the MoD’s Joint Forces Command welcomed the government’s stance but stated that it is the responsibility of company boards to ensure that they protect their corporate data assets, intellectual property and their customers and shareholders. But he acknowledged that any company doing business online is taking a risk as there are no international boundaries and the risks are becoming increasingly diverse and ever more sophisticated.
Dave King, CEO and founder of Digitalis agreed but said that there was a problem with how cyber security is perceived at board level. Publicity of the threats posed by cyber has risen to such an extent that most senior executives are now aware of the issue, but many are under the illusion that their firms are safe if they do not hold consumer data. However, he warned that around 20% of hacks target intellectual property and which means that all manner of companies are at risk.
Too many CEO’s and their Boards still believe that cyber is a technological issue and should be handled by the Chief Technical Officer and his/her team. However, Dave warned that the greatest risk companies now face is human and arises from bespoke, dedicated attacks that start with some form of social engineering. This, he explained, could be as simple as targeting people who had recently participated in a charitable event with a personalised phishing email congratulating them on their efforts. He ran through three recent high profile examples involving Sony, Apple and Target – none of which were technological breaches and all resulted in significant reputational and financial damage.
Jason Beer QC (who recently acted for UK law enforcement agencies in the litigation arising from the theft by Edward Snowden from the US National Security Agency of thousands of documents; and for the Metropolitan Police Service in claims by the victims of mobile phone hacking) stated that the law provides an after-the-event remedy. Instead, companies and their management teams need to do more to mitigate the risks posed by inevitable security breaches and to ensure they are fleet of foot enough to react and to appoint experts to assess, plan and protect against an attack.
He highlighted the asymmetric nature of the threat posed by cyber-security such as cyber-espionage by state-sponsored organisations; an increasing focus on the retail sector; auto-logging resulting in mobile attacks; exploitation of old source codes and a greater focus on end-point security.
Jon Rigby agreed with the other panellists that companies need to ensure their staff and business partners are not vulnerable to theft. Rather than focusing on the technological aspects of cyber-security, he said that firms must do more to prevent the threats that are often perceived as lower tech.
Dave King claimed there was likely to be a sea-change in opinion as public understanding and awareness of cybersecurity grows and people remember that the villain is the hacker rather than the company which has been hacked.
Whilst agreeing, Jason Beer QC suggested that the lack of a cross-border, legal framework means company boards must take greater responsibility and must be seen to have taken all steps to mitigate risk. If they do not, and a material breach takes place, the company could suffer reputational damage as well as a financial cost that could run into millions. He highlighted the attack on Target which resulted in the firm reporting a $148 million loss directly attributable to the hack of customer data. He also warned that the threat of class actions are already a reality in the US and are likely to cross the Atlantic. To round off a fairly sobering event, all three speakers agreed that there was no limit to the amount that companies could spend on trying to prevent a cyber-attack but that criminals will succeed in the end. They also reminded the room that they were particularly at risk and potentially liable if there was a cyber-attack resulting from their own actions.
Given that some of the most high profile cyberattacks have resulted from access being granted to third parties, what steps should PR advisers take if, as and when the worst happens to their firm or their client?
As with any potential crisis, planning and preparation is essential. Firms should regularly be testing scenarios with a ‘Red’ team to ensure that lines of communication and authority are clear and quick. Once a cyber breach has occurred, there will be little time to respond and firms can quickly get behind the news agenda. If they can ride out the first two news cycles then there is a chance that the reputational fall-out will not strike a mortal blow to the company and then strategies will need to be rolled-out to staunch the flow of online negativity.
So just think carefully before you download that document on the way into work or open the email from an unknown person praising you for the money you raised in a 10km run.