Managing cybersecurity threats and reputation risk in the digital age

Glass window office

Cybersecurity is one of those threats feared by just about every organization, regardless of size and specialty.

Just think of some of the high-profile victims of data theft over recent times – Sony (2014), Equifax (2017) and, more recently, Marriott (2018).

Given the inevitability of a cyber-attack, how can a company anticipate and manage the associated reputation risk?

This timely topic is the subject of a new chapter in the recently published 3rd edition of the hugely popular ebook, published by RockDove, “The New Rules of Crisis Management in the Digital Age”, which has been downloaded more than 3,500 times.

The cybersecurity chapter is authored by the experienced and highly regarded expert, Sarah Tyre, the EVP for crisis and corporate issues at Weber Shandwick, recently named the global agency of the year by industry publication, The Holmes Report.

Sarah identifies several factors which are more likely to result in reputation damage in the event of a data breach:

  • Lack of preparedness
  • Waiting too long to disclose the incident
  • Poorly executed breach response
  • Not getting right the fundamentals of data security
  • Lack of transparency around the collection of data and its retention
  • Representing a ‘first’ (for instance – the largest, new to the sector, unusual elements to the threat)

Sarah’s chapter addresses how an organization can overcome these trip wires by building, what she describes as a ‘resilient organization’.

A resilient organization is one that can manage a cyber-attack, mitigate the impact and recover quickly.

Here are the key elements to build resilience in an organization:

  • Gap Analysis critically review existing protocols and responses.
  • Cyber Communications Plan – create a playbook that includes elements such as an escalation process, definitions of roles and pre-approved messages.
  • Simulations – conduct periodic crisis simulations and desktop exercises focused on cyber scenarios.
  • Leadership Training – ensure the Board is briefed and senior executives have their own coaching sessions.
  • Spokesperson Training – who is the person who will be the public face?
  • Relationship Development – identify influencers and stakeholders and have plans to engage if there was a cyber incident.
  • Trend Monitoring – follow how the media cover cyber incidents in your industry.
  •  Internal Education – share information with employees to help mitigate risk.

As Sarah notes at the conclusion of her chapter, you may not know when the next cyber-attack will occur, but having a well thought out preparedness plan will improve your chances to respond effectively and recover quickly.

You can read the full chapter, together with 11 other contributions from experts in the crisis field, by downloading a FREE copy of the book here.