BIG Director Bryan Garvie, talks about cyber crime and how to respond if your company is caught out.
You can tell a speaker has hit a nerve when a collective shudder ripples through their audience.
In a room of lawyers and IT security experts, the following phrase caused a few shoulder shimmies: “Don’t think that because you’re not a utility or a bank you’re not a target – hackers aren’t looking for a particular business, they’re just looking for weakness.”
Richard Patterson, MD of cyber specialists Ankura, sure knows how to get his audience to pay attention. He was the final speaker in a three-hour mock cyber attack event, hosted at the Manchester offices of law firm Addleshaw Goddard. Helena Brown, the partner who leads the firm’s data practice, was the host and covered the legal aspects; while Eric Alter from Marsh talked about why proper cyber insurance should be a standard part of your risk cover.
I was asked to speak about the reputation impact of a cyber attack, and specifically how companies can best respond if they’re the victim of a data breach.
It might be worth a bit of brief context for this, on the off-chance the subject of data protection has passed you by over the last couple of years.
May 2018 saw the biggest shake-up of data protection laws in the UK for some time. The changes effectively mean that companies are no longer entitled to contact consumers unless they’ve received explicit consent to do so from the individual concerned. There’s clearly more to it, but that’s the gist.
What companies should be really concerned about, though, are the penalties for failing to comply – a fine of up to £20m or 4% of global turnover, whichever is greater – and the impact of how customers will react to their data being lost.
The UK’s data regulator, the Information Commissioner’s Office, has quickly got its elbows out and fined British Airways more than £180m for a data breach, as well as a host of other chunky-sounding fines.
So there’s a clear financial imperative to get this right, with the added incentive that cyber crooks are pretty indiscriminate in their targeting, and that no protection is ever impervious.
Richard’s comments echo the old joke about a wildlife documentary team faced with an advancing and aggressive lion. One guy pulls on a pair of running shoes, to sneers from his colleague who says he’ll never outrun a lion. The first chap replies: “Never mind the lion, I just need to outrun you.”
But let’s say you’re the slowest runner in the pack, and some nefarious ne’er-do-well finds a way into your customer records, then makes off with their personal details, bank accounts and all.
Of course, you’ve prepared for this. You’ve had sound and extensive legal advice, you’ve installed hermetically-sealed IT systems and have a well-drilled business contingency plan, including communications. So you know what you need to do.
What do you mean you didn’t have a comms plan in place?
OK, you’ll like this. According to recent YouGov research, a third of UK consumers would be less likely to buy from a company if they knew it had suffered a recent data breach. And what’s more, they don’t even blame the crooks – three-quarters of them blame the company which had the data stolen.
So let’s look at the reputational aspect of this, because it’s really rather important.
There are a few relatively simple steps you need to take, but the important thing is to ensure that any business contingency plan – whether it’s intended to respond to a cyber attack or anything else – includes communications.
First of all, get organised. Which scenarios are most likely to lead to a data breach, and what might that look like? Does your supply chain have a weak point, for example, and have you done everything possible to secure it?
Once you’ve identified these, get your key spokespeople media trained, and have them practice answering tough questions based on your worst-case scenarios. Proper media training will equip people with the skills and techniques to answer just about anything, without having to resort to porky-pies. Importantly, you need to be honest – if you lie, you’ll just make it worse for yourself.
As part of your media training, work on your key messages. We always encourage clients to keep key messages few and brief – if you have umpteen messages they, by definition, cease to be ‘key’, and stuffing each of them with too much information loses the clarity which is so important in a tricky situation.
You’ll also need to consider social media – how is your audience likely to respond? They won’t be too chuffed, for sure. So how will you manage that, particularly outside of working hours? Someone will need to monitor social channels, even those in which you may not participate directly, and make a call as to how, when and if you should respond. Social can be a good way of correcting misinformation in a developing situation, but it has to be handled carefully by someone who knows what they’re doing.
There are also likely to be other stakeholders who’ll need to hear from you. So other than customers and media, you might need to speak to regulatory authorities, industry bodies, police, politicians and partners. You should have a plan in place for each of them too.
Once you’ve worked all this out, it’s not a good idea just to stick your nice new plan in a drawer and congratulate yourself on a job well done. It’s perfectly possible for several years to pass between making your plan and actually having to call on it. If you haven’t looked at or practiced your plan in a couple of years, how likely is it you’ll be able to execute it well? Practice a couple of times a year to make sure you don’t lose your touch.
Ultimately what you need is to be able to demonstrate that you’ve behaved responsibly and have acted as a sensible custodian of customer data – if your protection of personal details could be described as anything short of vigorous, defending your reputation in the event of a breach will be a much tougher task.
To that end, repairing any damage after the event needs serious consideration too. Google will be only too happy to remind everyone of that time your cyber defences were found wanting, so having a strategy in place to show your business in its best light – across every channel – will be the final and essential part of your plan.
As last words go, Eric Alter from Marsh provides what you might optimistically consider an easy win against cyber threats. There were 6.9 billion (BILLION!) personal data records stolen in the last 12 months. Only 2.2% were encrypted.
So that’s one thing you can do.
Two more mock data breach event will take place in Leeds and London this year. Dates and registration available here.