Portions of this article first appeared in BCBusiness in July 2019
Given all the headlines about big corporations falling prey to cybercriminals, you might think they’re the only victims. That misconception could not only ruin your business but the businesses the insurance industry wishes to protect.
The problem with cybercrime is that you need to consider not only digital assets but the reputation of the brand as well. Negating the latter, no matter how well you protect the former, could still lead your clients to declare bankruptcy. Insuring against cybercrime is important, but one must make sure that there are ample funds within the policy to combat reputation perceptions and help regain trust from those ultimately affected.
Before I go any farther, I should point out that I’m not a cybercrime expert or a lawyer. I must stress that it’s in that it is in the best interest of anyone reading this article to consult with experts when dealing with any breach to make sure both your data and company are equally protected.
As someone who focuses on the brands and brand reputations of my clients, I’m not surprised that so many people who fall victim to cybercrime pay the ransom and quietly try to recover from it.
Let’s not kid ourselves: cybercrime, whether it’s extortion or malicious attack, is a brand problem.
Not only is the reputation of the attacked company at stake, but there’s added potential harm if it affects vendors and clients. Once the attack is disclosed, this can lead to trust issues for the attacked brand. That lack of trust can manifest itself in the brand being perceived as incompetent or accused of mishandling sensitive data.
The gut reactions by vendors or clients affected are probably not “How horrible it is that you were attacked” but rather, “How could you as a brand be so careless with my information?”
Effective communication is the key to surviving a cyber-attack. The main challenge is that people are not skilled at communicating in a crisis and therefore make a bad situation worse.
People affected are fearful and feel violated.
They realize that those they have trusted with sensitive information may not have been worthy of that trust, which causes anger. This creates an even larger problem, which is that people don’t know what will happen next. How will this breach affect them or their business? Does giving the hacked company their information open them up to further attack?
You may be thinking: why divulge the fact that the breach occurred?
Depending on where you live, you may have a legal obligation to inform anyone who has been affected by your breach. Again, please check with counsel. Ignoring that obligation may seem the lesser of two evils. However, there’s always a good chance that someone will find out, and as President Nixon learned, the perceived cover-up is always worse than the crime.
So how do you protect your brand reputation in a cybercrime crisis? Communication is the key.
Take ownership! Tell everyone affected what caused the breach, what’s being done to fix it, and how you’re going to make sure that breaches don’t occur again. Letting people know what has happened, that you’re sorry, that you have inconvenienced them and challenged their level of trust is always the best course of action from a communications standpoint.
Remember, it’s your systems, your data, and your processes that led to a hole the cybercriminals were able to breach, so take ownership! However, it’s also important to realize and communicate that you’re the victim as well. Most people understand that no system is perfect or fail-safe and if you can explain what happened and the extent of the issue, they’ll be more apt to work with you to fix things.
The more you can admit what went wrong, apologize, and demonstrate your willingness to make things better, the sooner you can start to regain trust in your brand.
It isn’t perfectly on point, but this case study of how Maple Leaf Foods handled its listeriosis crisis in 2008 is a textbook example of how a company weathered a crisis by communicating frequently and accurately.
Open and honest communication will enable you to protect your brand.
Unfortunately, cybercrime will continue to happen. It’s up to each business, its employees, and those they engage with to do what’s possible to mitigate the risks. The more companies can communicate challenges and teach staff how to spot holes in the system and work together to get them fixed promptly, the better odds we all have of not being victims.
Looking for some advice to help keep cybercrime from happening in the first place?
For many small and medium-sized businesses (SMBs) prioritizing cybersecurity ongoing in their operations is not always easy. Training and educating employees, or practicing consistent cyber hygiene is also challenging for many businesses under pressure to focus on their day-to-day activities. But the risk they face from cyberthreats is real.
Here are five tips from industry experts that provides some actionable advice to prevent you and your employees from becoming victims of cybercrime.
Know how to identify suspicious emails and links
Employees are a critical factor in mitigating cyberthreats for SMBs, so it’s important to educate them on cybersecurity, including good email hygiene, to protect your business.
Phishing, a form of fraud in which an attacker poses as a reputable source in email or other communication channel, is a common form of cybercrime. To combat the threat of phishing, teach your employees never to open an email or click on attachments and links from someone they don’t recognize – especially when it includes an enticing offer, as a cash reward, in the subject line. Employees should also take a minute to review emails from people they know. Compromised email accounts are regularly used to send malware to contact lists because recipients are far more likely to open those emails and attachments.
Strengthen passwords and create a two-factor authentication
With all the websites and apps that require a login, remembering a unique password for each is nearly impossible. But one of the biggest mistakes people make is using the same password across all accounts. If someone manages to steal a password for one account, they can access everything.
Weak or duplicated passwords expose you and your employees to cybercrime. To mitigate this threat, use two-factor authentication, which requires the user to enter a password and validate that log in using another form of authentication (e.g. a code sent to a mobile device). This extra step significantly increases the security of company emails and data.
Be wary of public Wi-Fi connections
With the growing trend of working remotely, it’s likely that your employees will find themselves connecting to the office using personal devices and unprotected access points, such as Wi-Fi networks in coffee shops or airports. The potential for compromise is high and can open a gateway to your company’s network.
To ensure your network is prepared for these risks, consider requiring all employees to install VPN software onto their devices, so connections are secure and encrypted when working remotely.
Ensure web-connected devices are secure
As they engage in the digital transformation, many SMBs are regularly introducing new devices to their network infrastructure. With malware targeting IoT devices such as printers and routers, businesses are exposed to a variety of threats that cybercriminals can easily exploit.
To mitigate risk, the business should ensure all devices, including employee terminals and office equipment, are properly secured before being fully implemented. Any bring-your-own-device policy should also involve human resources and legal to create an atmosphere where every employee takes ownership in cybersecurity awareness.
Anyone can be a target
Some SMBs assume they aren’t a target for cyberattacks given their size, but this isn’t the case. SMBs have valuable personal and business data as large corporations do.
Employee training and education are essential to minimizing risk. By creating a cyber-safe working environment and encouraging a company culture of consistent cyber hygiene with adherence to cybersecurity best practices among employees, SMBs can reduce the likelihood of attacks.
In summary, the best defense to cybercrime is a good offence. The more prepared you are to repel those who wish to harm you and have a plan in place to communicate effectively should anything happen, the easier it will be for you to survive and thrive beyond the initial threat.