Cyber-Crises Are Never “Just an IT Problem”
by Tony Jaques PhD, Director of Issue Outcomes Pty Ltd, for people who work in issue and crisis management, author of Crisis Counsel: Navigating Legal and Communication Conflict.
Online data failures and ransomware attacks are emerging as a leading deadly threat to reputation – yet some organisations still seem to be treating them mainly as IT problems.
While cyber-crises are nothing new, experts say they are increasing in frequency and scale. Consider the ransomware attack on Colonial Pipeline which shut down fuel supplies across the East Coast of America, and the attack on JBS Meats which disrupted 47 facilities in Canada, USA and Australia.
Or the global impact of system failures in June at US-based cloud network providers Akamai and Fastly which shut down thousands of companies across the world.
Russian-linked hackers were reportedly paid $4.4 million by Colonial and $11 million by JBS. But for every ransomware case that makes the headlines, many small, or medium sized companies prefer to keep their crises under wraps. Indeed, internet security experts Kaspersky have reported that more than half pay their hackers.
There is a good financial reason to comply. In a notorious case in 2018, the City of Atlanta declined to pay a ransom of about $50,000. Instead, their recovery efforts cost more than $2 million on crisis PR, digital forensics and consultants. And in Australia, cyber-security incidents overall cost businesses an estimated $29 billion every year.
However, the reputational risk is also high. Despite regulators and law enforcement urging transparent reporting of cyber-crime, organisations fear the possible impact of cyber-shaming on share value and brand trust. And they know a breach resulting in loss of consumer personal data can trigger a multi-million-dollar class-action lawsuit.
So why are cyber-crises so damaging to reputation?
- They are so visible. Although some organisations try to hide or minimise data failures and ransomware attacks, social media in particular has made it increasingly difficult to avoid scrutiny.
- So many people are affected. Inter-connectedness of modern business means some cyber-crises directly affect millions or even tens of millions. For example, when bank or supermarket systems go down and people can’t access their own money or pay bills or buy groceries, the impact is immediate and widespread.
- They are such an easy headline. Cyber-crises are natural fodder for critical headlines and brand shaming, even though some of the world’s biggest news organisations were themselves brought down by the Fastly failure.
- They are perceived as preventable. Regardless of the technical cause, and whether or not foreign agents are responsible, the reality is that – rightly or wrongly – it’s the big brands and household names which get blamed for failure to prevent the problem.
Too often organisations fall back on default messages such as “It was outside our control” or “We were just one of many companies involved” or “We regret any inconvenience.” These may seem tactically smart but reflect little appreciation of the reputational damage involved. Look no further than the Commonwealth Bank, which attempted that approach but could not escape reputation-sapping headlines last month which highlighted their customers had suffered three system outages in just three weeks.
The challenge for issue and crisis managers is that customers often see cyber-crises simply as a failure of service. They will more likely blame their own supplier, not a previously unknown cloud-based operator on the other side of the world, or some anonymous Russian and Chinese hackers.
Moreover, judgement can be harsh. For example, one pre-pandemic survey across the USA and Europe found three-quarters of consumers would stop engaging with a brand online following a breach, and half would not sign up for an online service that had recently been breached.
As Deb Hileman, CEO of the Institute for Crisis Management, recently asked: “Is your business at risk for a Cyber Armageddon? Yes. What are you doing about it?”
A Parting Thought
Whether we like it or not, data security risks have entered the reputation management and crisis communications field.
Learn more about Reputation Risk in Tony Jaques’ new book, Crisis Counsel: Navigating Legal and Communication Conflict.