Cyber-Crises Are Never “Just an IT Problem”
by Tony Jaques PhD, Director of Issue Outcomes Pty Ltd, for people who work in issue and crisis management, author of Crisis Counsel: Navigating Legal and Communication Conflict.
Online data failures and ransomware attacks are emerging as a leading deadly threat to reputation. However, some organisations still seem to be treating them mainly as IT problems.
While cyber-crises are nothing new, experts say they are increasing in frequency and scale. Consider the ransomware attack on Colonial Pipeline which shut down fuel supplies across the East Coast of America, and the attack on JBS Meats which disrupted 47 facilities in Canada, USA and Australia.
Or the global impact of system failures in June at US-based cloud network providers Akamai and Fastly which shut down thousands of companies across the world.
Russian-linked hackers were reportedly paid $4.4 million by Colonial and $11 million by JBS. But for every ransomware case that makes the headlines, many small, or medium sized companies prefer to keep their crises under wraps. Indeed, internet security experts Kaspersky have reported that more than half pay their hackers.
There is a good financial reason to comply. In a notorious case in 2018, the City of Atlanta declined to pay a ransom of about $50,000. Instead, their recovery efforts cost more than $2 million on crisis PR, digital forensics and consultants. And in Australia, cyber-security incidents overall cost businesses an estimated $29 billion every year.
However, the reputational risk is also high. Despite regulators and law enforcement urging transparent reporting of cyber-crime, organisations fear the possible impact of cyber-shaming on share value and brand trust. And they know a breach resulting in loss of consumer personal data can trigger a multi-million-dollar class-action lawsuit.
So why are cyber-crises so damaging to reputation?
- They are so visible. Although some organisations try to hide or minimise data failures and ransomware attacks, social media in particular has made it increasingly difficult to avoid scrutiny.
- So many people are affected. Inter-connectedness of modern business means some cyber-crises directly affect millions or even tens of millions. For example, when bank or supermarket systems go down and people can’t access their own money or pay bills or buy groceries, the impact is immediate and widespread.
- They are such an easy headline. Cyber-crises are natural fodder for critical headlines and brand shaming, even though some of the world’s biggest news organisations were themselves brought down by the Fastly failure.
- They are perceived as preventable. Regardless of the technical cause, and whether or not foreign agents are responsible, the reality is that – rightly or wrongly – it’s the big brands and household names which get blamed for failure to prevent the problem.
Too often organisations fall back on default messages such as “It was outside our control” or “We were just one of many companies involved” or “We regret any inconvenience.” These may seem tactically smart but reflect little appreciation of the reputational damage involved. Look no further than the Commonwealth Bank, which attempted that approach but could not escape reputation-sapping headlines last month which highlighted their customers had suffered three system outages in just three weeks.
The challenge for issue and crisis managers is that customers often see cyber-crises simply as a failure of service. They will more likely blame their own supplier, not a previously unknown cloud-based operator on the other side of the world, or some anonymous Russian and Chinese hackers.
Moreover, judgement can be harsh. For example, one pre-pandemic survey across the USA and Europe found three-quarters of consumers would stop engaging with a brand online following a breach. They also found that half would not sign up for an online service that had recently been breached.
As Deb Hileman, CEO of the Institute for Crisis Management, recently asked: “Is your business at risk for a Cyber Armageddon? Yes. What are you doing about it?”
A Parting Thought On Cyber Crises And Reputation Management
Whether we like it or not, data security risks have entered the reputation management and crisis communications field.
Philippe Borremans
Learn more about Reputation Risk in Tony Jaques’ new book, Crisis Counsel: Navigating Legal and Communication Conflict.
CLICK HERE TO DOWNLOAD A FREE CHAPTER!
“Crisis Counsel confirms Tony Jacques position as one of the industry’s foremost experts on issues and crisis management. In addressing the complex interactions between legal and communication crisis responses Dr Jacques provides riveting case studies and practical advice. It highlights the financial and reputational risks of not effectively integrating communications and legal counsel. It should be on every communications practitioner’s reading list and companies should insist their in house and external legal counsellors read it.” – Noel Turnbull, Former Chair of Turnbull Porter Novelli, Adjunct Professor, RMIT University.
“Senior managers who find themselves in the C-suite for the first time, Crisis Counsel should be mandatory reading. Such specific legal and communications provocations are not covered in university management courses, and the introduction is replete with illuminating case studies and key takeaways. The author provides sage advice for Chief Executives who must ultimately make a decision based upon what they think is the right thing to do; often under pressure. Crisis team leaders and team members will find this book equally of value, as the more you know about it, the better you and the team will be.” – Jim Truscott, Director, Jim Truscott & Associates Pty Ltd, Perth, Australia
Tony Jaques adjusts this picture in masterly, yet eminently readable terms. His comprehensive discussion of apology in crisis management is likely to be a go-to source for years to come. For university teachers like me, it’s a rich source of well-researched case studies. A gem!” – Chris Galloway, PhD, Head of Pubic Relations, Massey University of New Zealand