The epidemic of security breaches is escalating globally across all sectors of business, yet only half of CISOs and CIOs are ready with a crisis contingency plan and have the secure communications to implement one. What are we waiting for?
After many high-profile cyber attacks that have brought down brands like Equifax, JP Morgan Chase and Yahoo!, most companies still haven’t implemented a company-wide crisis strategy. According to a recent global study conducted by Ponemon for IBM Resilient, 77 percent of respondents admit they don’t have a formal cybersecurity incident response plan (CSIRP) that is applied across their organizations, despite 65 percent agreeing that the severity of cyber attacks has increased and part of the severity stems from the longevity it takes to rebuild communications and infrastructure.
Regardless of clear awareness of the risks and skyrocketing damages to companies who have suffered a cyber attack – which are expected to reach $6 trillion by 2021 – crisis plans are still taking a back seat for many CISOs. It’s well overdue for all enterprise decision makers to ensure there is a plan and strategy in place to combat hackers and reduce the risk of a breach. When a company is attacked, the management team and employees will need to be prepared to execute business as planned and have end-to-end encrypted channels of communications in place, in order to make business continuity possible. Secure communications are no longer an option in our digital age – they’re a necessity.
Maersk, a victim of last year’s NotPetya ransomware attack, left their stakeholders in the dark during the crisis because communication systems were down. The only message was “…We confirm that some Maersk IT systems are down. We are assessing the situation…” The attack left the company’s internal and external communications compromised, forcing the entire company to be offline for ten days. Rebuilding the company’s infrastructure required reinstallations of 4,000 new servers, 45,000 new PCs and 2,500 applications. Later, Maersk CEO announced that their third quarter results would include losses totaling as much as $300 million.
If Maersk had a cyber crisis plan implemented and a secure communications platform built to handle something of this magnitude, management and employees could have accelerated their response time, saved millions in losses and mitigated millions more in risk to protect the company’s brand, value and reputation.
The high cost of negligence
Attacks like NotPetya are no longer the exception – they are the rule. Cyberattacks are so common that cyber risk insurance is now one of the fastest growing markets in the world. Still, many companies are behind the curve in protecting their assets from cyber attacks. An Ovum study about cybersecurity readiness states, “50 percent of U.S. firms do not have cyber risk insurance and 27 percent of U.S. executives say their firms have no plans to take out cyber insurance, even though 61 percent of them expect cyber breaches to increase in the next year.”
The study also highlights RAND’s estimate that a typical breach cost companies about $200,000 or 0.4 percent of annual revenues, which according to them is, “relative to all the other risks companies face, the cyber risks often aren’t as big a deal as we think.” This short-sited thinking could be misleading CISOs and CIOs into believing that the risks aren’t high enough to invest in countermeasures and could lead management into a false sense of security, which in turn leads to fatal repercussions.
The data compiled by Ponemon Institute, estimates a $3.5 million price tag on an individual data breach. The frequency and impact of attacks could leave many enterprises in critical situations. Unfortunately, it is much worse for smaller companies, 60 percent are shuttered six months after a cyber attack. Investing in cybersecurity is an investment in a business’s livelihood.
Can you ensure business continuity during a crisis?
Now that GDPR is in place, companies must report data breaches within 72 hours if customer data has been compromised. More than ever, a data breach is not the time to go silent. Once a company realizes a breach has occurred, all communications systems should be also be considered as compromised and be investigated even if email, phone systems, conference systems, etc. are up and running. A comprehensive crisis plan outlines communications protocols for employees and includes strategies to rebuild the company. In its absence, employees have no direction to manage critical relationships with the press, partners, customers and financial markets.
Crisis communications plans and reporting are crucial to the success of a company after a hack. Today’s media will fill the silence fast, sharing what they know (and their best guesses) through calls, texts and social media and exposés. A company’s bad situation will become a lot worse if they do not control the narrative. Making sure that CISOs have infrastructure, communications and messaging in place before a crisis can determine the livelihood of a company.
No more excuses
Over 200,000 new malware samples are produced and 4,000 ransomware attacks occur every day. Becoming more resilient to cyberattacks requires companies to realize that being prepared is the key to success. Be ready for the inevitable. The risks for enterprises are manufactured, accessible and available. The time to invest in cybersecurity is now and it is crucial to know how to combat the presence of cyberwarfare with a crisis communications plan that is prepared, polished and put into practice.
Morten Brøgger is the CEO of Wire.