Plus ca change, plus c’est la même chose… in cyber
“The more things change, the more they stay the same” as the saying goes. Yet, despite huge leaps in the security technology to defend organisations against attacks, it remains true for cybersecurity breaches dating back to the first major computer system hack by Kevin Mitnick in 1979.
We recently attended the WiTT event on cybersecurity and privacy and it prompted me to think about how responses to cyber attacks have changed. The panellists, including Philippa Cogswell at Darktrace, Ruth Davis at BT Security, Lisa Hamilton at Deloitte LLP, and Paul Glass at Taylor Wessing all spoke about a number of cybersecurity trends from 2016 and ones we expect to see over this coming year. One of the main themes discussed was on the rise of mobile and IoT devices, and its impact on phishing and ransomware, as well as the hot topic of GDPR which is coming into effect next year.
Though there’s more and more discussion about cyber and the changing threat landscape, the broad story is the same – one in which people are falling for surprisingly conventional threats and, therefore, more education and pre-emptive measures must be taken to keep organisations safe and secure. Considering the increasing digitisation of business, it’s become even more of an issue and for all the new threats that seem to be emerging, it’s surprising in some ways to see that there hasn’t been more progress in terms of awareness.
Comms and cyber
We all read about the Talk Talk attack where the company was criticised for not responding more quickly to their customers. The same accusation was levelled at Yahoo!, resulting in its CEO being punished for mishandling the breaches and Yahoo!’s general counsel resigning. Ashley Madison’s breach had a massive effect on the public – leading to resignations, divorces and even, sadly, suicides.
One thing that connects all these hacks was the fact that there wasn’t a better – and more rapidly deployed – comms plan in place, ready to go in the event of a crisis. As Ruth Davis from BT Security said at the event, “At the moment, cyber-attacks are only discussed in ‘crisis’ terms.” It’s not yet been fully accepted as part of the modern risk profile of business operations, for which contingency planning (and testing) is part of the every day.
A new normal
The learning here is that companies need to be more proactive than reactive; they need to plan instead of being on the back foot. Airlines have, and rehearse, comms in the event of a disaster – for example, when there’s a plane crash, many airlines will not only have contingency plans in place but will rehearse them in fire drills every few months to ensure the corporate infrastructure is equipped to handle the decisions and communications flow required to manage the issues at hand. Brands need to take the same approach: every business needs a cyber disaster comms plan to ensure they are delivering responsible and prompt information to their customers, employees and other stakeholders.
Not only is this sort of disaster planning key, but, with cybersecurity becoming an important feature of the trusted relationship between consumers and brands, every organisation needs to develop a narrative around what they are doing to mitigate and protect against these sorts of threats proactively. This will provide an important pillar of differentiation in an increasingly digital world.