Over the last few weeks I’ve been catching up with a number of the speakers for next year’s CISO Africa conference. A common thread in nearly every conversation has not been around technology, employee education or external threats, but rather the aftermath of an attack, the reputational damage it can cause a business and how to get through it. Interestingly enough, a conversation I had just this morning was around social media backlash, fake news and misinformation. As much as protecting data and assets is vital, managing your company reputation in a digital world is becoming increasing fragile, complex and directly under threat.
Is stealing information the main motive behind attacks?
Which is more distracting to the running of the business; the loss of information or the tarnished reputation?
The conversations I had, which will continue at the conference, hypothesised that reputational damage outweighs data loss (there are some obvious exceptions). You’ve had a breach, you’re on the back-foot already, and now this needs to be made public or at least stakeholders informed. But can you explain an incident without receiving major backlash? A data breach will have an immediate impact on stakeholder sentiment and the recovering from this may be a long an arduous process. Some folks have mentioned that consumer apathy may limit damage; or the opposite is true and will add fuel to the flames, especially if the targeted company is a provocative one. For example, the saga around the Ashley Madison breach… I don’t think I need to go into too much detail about that instance.
The frequency and scale of events also plays a role in this, again compounded by responses (or lack thereof) from both PR and security leadership teams. If your systems are hit again and again, and you don’t manage your reputational risk, the knock-on effect will only be exacerbated.
It is important to identify who is responsible to drive sentiment back up; there are several internal and external stakeholders embroiled in this mess who need to be put at ease.
A well-timed announcement from the CEO may allay market fears and put customers at ease, yet regulators could be breaking down the door, or a slew of politicians using the breach as a platform for their own agenda. It may seem a bit far-fetched, but the rampant ire of social media, and the wide-spread sharing of misinformation, can play into the hands of competitors, or indeed (and this may sound even more sinister) that of the cyber attackers themselves.
What could be a mere blip in terms of data loss could be magnified into a serious violation; “your personal data is not safe”, “company X can never be trusted again”! The size, frequency and severity of the breach, the speed of response and handling multiple stakeholders all play a significant role in the long-term impact to your business.
There are countless examples of how data breaches can cripple an organisation in a matter of days (think Ashley Madison); and in some cases the effects of reputational damage can sink a business. Then again, there are also examples of where the opposite is true, where public sentiment responds with bursts of anger, but recovers within a matter of days and everything carries on as per usual (Facebook, countless times).
There is an argument that the nature of the breach – be it internal or external – is proportional to public outcry; that a rogue employee is more palatable than an unseen outside threat. Wouldn’t a rogue employee look to cause more damage though?
But, in the aftermath of any attack, there are a handful of golden rules when recovering from an attack. Here are two of these golden rules:
- Show empathy and issue a statement immediately – make sure it is compliant, fact-checked and signed off by the legal team.
- Have a plan in place to respond to all key stakeholders, to mitigate social media backlash, to also have the right spokesperson to handle the public – is this the CEO, or the CISO?
The discussions around reputational loss will continue at CISO Africa 2019. We encourage all who attend to share their thoughts and learn from others on what is a deceptively ordinary topic, but one that deserves increasing attention.