The one major blind spot in most cyber risk strategies

The one major blind spot in most cyber risk strategies

Cyber risk is rapidly becoming one of the most significant existential threats to businesses, institutions and other actors and their reputations. Living with an open-ended risk, potential targets of cyber-attacks are now – more than ever – under high pressure to build more effective and broad spectrum, resilient capacities. One key focus that gets overlooked: reputation.

2016 recorded a new peak in cyber-attacks. Be it cyber extortion, corporate espionage & state-sponsored attacks, bank fraud, data manipulation, theft & kidnapping (ransomware) or hacktivism: sources of cyber risk are growing more complex and versatile making it highly difficult to prepare for them. More importantly, everyone and everything has become a target including corporations, governments, political institutions and security authorities. The key message is: anyone can be hit at any time.

Therefore, ramping up one’s efforts for ensuring the highest cyber security level possible must be a key priority on everyone’s agenda as this can also be turned into a competitive edge.

Despite this dramatic recent increase in cyber-attacks, potential targets still seem to heavily underestimate the reputational damage an attack can entail. Moreover, the wider repercussions of these attacks are decisively dependent on how a target will ultimately handle the internal and/or external communications crisis vis-à-vis the cyber crisis itself as both crises are closely intertwined and have to be resolved via a concerted effort.

Against this backdrop, building cyber resilience capacities must be seen through various lenses, not only a technical one, and cyber security communications is one of them.

Cyber risk today

Cyber-attacks reached record levels in 2016: the damage to the global economy is estimated to exceed $400 billion a year. In 2015, more than 500 million personal records were stolen. The wider cyber risk landscape has significantly increased in volatility and its underlying risk taxonomy has grown more complex. Consequently, this means that a target’s potential attack surface has dramatically expanded based on myriad cyber risk vectors; ranging from human errors (caused by employees), technological risks (originating in hardware, software & information systems failures and the overall introduction and increased connectivity of new technologies), compromised received data from business partners and customers, compromised data storage centers and platforms, failed internal processes (such as product development, design and execution processes) to external events (such as natural disasters, legal and regulatory issues).

The risk of reputational suicide

The loss of reputation is the one of the most underrated corporate and institutional risks in the cyber security realm. This is also due to the fact that when suffering a data breach for instance, targets still mostly treat it as an internal, purely technical issue with no cross-departmental cooperation required.

By focusing on a broad spectrum crisis preparedness and response strategy, every potential target needs to adopt a communicative lens as well since at least one third of customers impacted by a data breach will never do business with the affected company ever again. The potential level of customer base loss is also affected by the way the target is communicating the crisis with all relevant stakeholder groups.

Cyber risk constitutes a tail risk causing extreme losses to companies, institutions and authorities. It directly hurts company value and the overall trust of customers and citizens in corporations, governments, institutions and security authorities. Moreover, public opinion materialises very quickly, but it takes a very long time to re-shape it. This means that if a targeted actor is perceived to fail in managing a cyber-attack properly, this perception will remain for a long time to come. By not building resilience will cause “reputational suicide“ which can be fatal for any organization. This is also aggravated by increased media focus on cyber attacks which has certainly raised the stakes on how companies and other actors respond.

Key challenges of cyber security communications

Building cyber risk resilience requires a systematic approach. In order for crisis communications to take full effect during an ongoing crisis, actors have to adequately prepare themselves based on a 360° approach regarding various stakeholder groups. Interestingly, IT departments on the front line of cyber attacks generally have no understanding of and experience in cyber security communications, often creating failed cross-departmental information sharing behavior.

In this respect, the greatest challenges lie with the potential misconceptions about the significance of risks on the one hand – the fact that in most cases neither the attacker(s) nor his / their intentions are known – and whether cyber risk is considered more a specialized rather than a normal risk, on the other. Another challenge originates in the high volatility and dynamism of cyber incidents making it very difficult to quantify damages and communicate the urgency of an attack since the impact and scale of an attack tend to increase over time. Additionally, cyber risk acts cross-functionally and must be treated as an overarching business challenge that requires leadership, therefore it must be seen as a board-level issue. Furthermore, cyber security will always be imperfect as cyber risks are open-ended in nature and require constant adaptation and trade-offs that may directly affect operations.

Nevertheless, an effective, versatile and adaptive cyber security communications strategy constitutes both a clear-cut competitive edge and opportunity to better understand corporate strengths and weaknesses. All in all, cyber resilience is mostly technical in nature, but consists of various dimensions. Only actors that are aware of the latter point will be able to prepare themselves for a live attack in a way that will allow them to effectively limit the damage or even fully protect their reputation.

About Author

Christian Hellwig

Christian is currently working as a Manager of Corporate Communications, Reputation Management & Public Affairs with a leading German digital real estate start-up. Additionally, he also works as a freelance political consultant and public policy analyst. Prior to this, he worked for a government relations law firm as a research analyst focusing on lobbying in the EU and commodity trading. Christian holds a MSc in International Relations from London School of Economics & Political Science and a first class honours BA from a leading German university in Governance & Public Policy.