Cyber-security needs more crisis preparedness, less blame-shifting
by Tony Jaques, Director of Issue Outcomes Pty Ltd, for people who work in issue and crisis management
How many more times will we have to hear some struggling organization announce that a cyber-breach or data leak was caused by a failure at a third-party contractor?
It might be true, and it might be an explanation, but it’s not an excuse!
Consider the Latitude Finance cyber-breach in March, originally reported as 330,000 customers’ data stolen and later escalated to a record-breaking 14 million personal records, affecting perhaps eight million people across Australia and New Zealand.
The company said the attacker appeared to have used employee login credentials to steal personal information that was held by “two other service providers.”
More recently, when 16,000 files relating to Tasmanian schoolchildren were leaked onto the dark web, the data was reportedly accessed through a “third-party file transfer service.”
Referring to the Latitude Finance debacle, Associate Professor Rob Nicholls at the UNSW Business School pointed out: “If a company outsourced to a service provider and got them to agree it’s their responsibility, that might be the case contractually, but in terms of governance it hasn’t solved anything… It doesn’t matter if you’ve outsourced, you’ll still be held liable.”
While attempting to displace blame might give the appearance of reducing responsibility, the obvious underlying problem is lack of adequate crisis preparedness and a lack of formal governance frameworks.
A study by the Australian Institute of Company Directors last year found that 72% of respondents said cyber-security is a “high priority” for their board. However, more than half (53%) said they had no dedicated crisis planning or cyber resilience plans in place. And only a shockingly low 21% receive regular reporting on the cyber performance of those increasingly critical third-party suppliers.
Although the Australian Federal Government has announced massive increases in corporate fines for persistent data breaches and is staging cyber “war games” for banking and other vulnerable sectors, the focus still seems to be more on what to do after a crisis strikes and how to minimize impact rather than how to prevent a crisis occurring in the first place.
The government’s technical approach is important, but the reality is that cyber-crises are never “just an IT problem.” A cyber-crisis risks financial losses, fines, falling share value, class-action lawsuits, and reputational damage – just like any other crisis.
A report earlier this month found the Australian telecommunication industry has overtaken social media as the most distrusted industry. This was primarily driven by the “toxic levels of distrust” following the highly publicized data breach late last year at Optus, which came in as the second most distrusted brand in the nation.
CEO Michelle Levine of research company Roy Morgan commented: “Unfortunately for Optus, it has been proven that brands which suffer major scandals find that once distrust takes hold, it is very difficult to curtail.”
A statement of the obvious perhaps, but it highlights that cyber-failures need to be a central responsibility of top management in general and crisis managers in particular, not just IT professionals.
Of course, cyber systems and penetration testing need to be more robust. Yet the fact remains, more than half of Australian companies surveyed said they had no dedicated crisis planning or cyber resilience plans in place.
Australian crisis expert Gerry McCusker stresses that crisis preparedness is the key and crisis simulation is an essential tool to get organizations more crisis ready. “By running crisis training workshops, organizations can identify weaknesses in their response plans and take steps to address them before any real risk occurs.”
And Deb Hileman, CEO of the Institute for Crisis Management, asks the fundamental question: “Is your business at risk for a Cyber Armageddon? Yes. What are you doing about it?”
A Parting Thought
“There’s no such thing as impossible. Just inadequate preparation.”
Jack Reacher (Lee Child)
Tony Jaques is Director of Issue Outcomes Pty Ltd, for people who work in issue and crisis management
Learn more about Reputation Risk, CEO apologies, and Crisis communication in Tony Jaques’ new book, Crisis Counsel: Navigating Legal and Communication Conflict.
“Crisis Counsel confirms Tony Jacques’ position as one of the industry’s foremost experts on issues and crisis management. In addressing the complex interactions between legal and communication crisis responses Dr. Jacques provides riveting case studies and practical advice. It highlights the financial and reputation risks of not effectively integrating communications and legal counsel. It should be on every communications practitioner’s reading list and companies should insist their in-house and external legal counsellors read it.” – Noel Turnbull, Former Chair of Turnbull Porter Novelli, Adjunct Professor, RMIT University.
“For senior managers who find themselves in the C-suite for the first time, Crisis Counsel should be mandatory reading. Such specific legal and communications provocations are not covered in university management courses, and the introduction is replete with illuminating case studies and key takeaways. The author provides sage advice for Chief Executives who must ultimately make a decision based on what they think is the right thing to do; often under pressure. Crisis team leaders and team members will find this book equally of value, as the more you know about it, the better you and the team will be.” – Jim Truscott, Director, Jim Truscott & Associates Pty Ltd, Perth, Australia
“For far too long, the role of lawyers in crisis management has been neglected. If discussed at all, it is often in negative terms. Tony Jaques adjusts this picture in masterly, yet eminently readable terms. His comprehensive discussion of apology in crisis management is likely to be a go-to source for years to come. This is a welcome book for anyone interested in how crisis-confronted corporations (and other organizations, too) can navigate the tricky legal waters of communicating under fire. For university teachers like me, it’s a rich source of well-researched case studies. A gem!” – Chris Galloway, PhD, Head of Public Relations, Massey University of New Zealand