A cyber-attack could damage your business. Protect your reputation with CyberOptic

By Tim Field, Associate Director

The frequency and sophistication of high-impact cyber-attacks is increasing at an alarming rate. Businesses and organisations shouldn’t wait to see if they’re the next victim, they need to prepare their response now.

Everyone from governments, national security agencies and private sector specialists are issuing warnings that organisations of all sizes, from listed companies through to SMEs, charities and political parties need to take steps to protect their systems and consider their response if attacked.

Alarming statistics abound in a recent article from Forbes that 3 in 5 companies were attacked in 2021, that cybercriminals can penetrate 93% of company networks and that 50% of businesses have no cybersecurity risk plan in place. Recent UK Government research found that although 82% of companies state that their board sees cyber security as a high priority, only 19% have a written incident management plan.

Discover our Risk & Crisis Optics tools

The stakes are high for cyber security

The cost of cybercrime is enormous and was estimated to have cost US businesses more than $6.9 billion in 2021.  The move to hybrid working since the pandemic has made IT systems more vulnerable and made business a soft target for sophisticated criminal groups who use extortion to profit from their actions.

While maximising IT systems security as much as possible is a prerequisite for every organisation, so too is preparedness for your communications response plan, should the worst happen. Attacks are getting more sophisticated but stakeholder tolerance for organisations being seen as victims is waning – especially when data is at risk. Security company Panaseer found 82% of insurers expect premiums to continue to rise, policies to tighten and are placing greater burdens on companies while increasing their intense scrutiny of companies’ preparedness. Earlier this year, Lloyd’s of London announced plans for policy exemptions for state-backed attacks. What is clear is that relying on insurance to cover the financial losses alone isn’t sufficient, especially for small businesses who may not have specific cover but for whom the impact could be significant for every day they are unable to trade.

Protecting your hardest earned asset

Critically, for businesses and organisations of all sizes, one of the most valuable and hardest earned assets that can’t be insured is your reputation.

Increasingly, especially where a ransomware attack has put personal data at risk, the tolerance of stakeholders is much lower with the increasing prevalence of attacks. Situations are seen through the lens of blame. Customers, consumers, employees will ask whether their personal details are now at risk due to bad management, insufficient protection, underinvestment in security.

The frequency of media coverage of major data breaches makes them no less impactful, with the bigger the business, the larger the data haul by hackers and the greater profile given.

At the time of writing, Medibank, one of Australia’s largest private health insurance providers is into its third week of speculation about the outcome of a ransomware attack that has seen 200GB of data extracted about it’s 3.9m customer, including all the personal information you would imagine such a company holding.

Medibank’s share price has fallen 20% since announcing the breach. If a 2020 risk, reputation and accountability study by Pentland Analytics is proven right, that is a loss that could be sustained.

Action, not reaction

The clear and consistent realisation after every crisis is that preparedness can reduce the impact. Often this is something businesses and organisations learn too late.

For a cyber-attack, some of this preparedness is preventative technical and practical choices – such as the right security protocols, updated IT systems and individual awareness of risks. However, as the small percentage of businesses having a written incident management plan demonstrates, too many are leaving their response when attacked to a reaction, rather than being proactive.

In a scenario where a hack has resulted in you having no access to your emails or contacts and you are locked out of your file servers – it is going to be much harder to plan your response in the hours and days that follow. Adrenaline will be running high, you’ll have regulatory compliance timescales to work to and there will be significant gaps in your knowledge of the severity of the situation.

This is when clear, decisive leadership and effective communications make a difference. Perception matters. The Pentland Analytics research also found that companies who responded well to a crisis went on to outperform market expectations by 20%.

The choice for every business and organisation is clear – if you want to protect your reputation and value in the face of major crisis, you must prepare for how you will respond.  

We have launched CyberOptic to help. Our risk and crisis experts can support you to act now using our proprietary diagnostic tool, to enable you to benchmark your organisation’s current response plans against best practice.

To find out more and discuss with our experts how you can ensure your reputation is protected against the risks of cyber-attacks, get in touch riskandcrisisteam@instinctif.com.