With the recent high-profile hijack of the AP’s Twitter account that claimed an explosion at the White House, attacks on a number of major banks and a former Reuters editor being indicted for conspiring with members of the hacker group ‘Anonymous’ to attack a competitor’s website, we are seeing increasing sophistication in data breaches and transformations in how cyber warfare is being waged.
As evidence of this evolution, Verizon recently released its annual Data Breach Investigations Report with some surprising findings:
- 37 percent of breaches hit financial organizations
- 24 percent of breaches happened in retail and restaurants
- 92 percent of breaches were perpetrated by outsiders
- 19 percent were attributed to state-affiliated actors
What is interesting about the report’s findings is, while 60 percent of the breaches are focused on the usual targets of financial institutions and retail operations, 40 percent are not — meaning that cyber-attacks are becoming increasingly sophisticated in who they target and how they mine for information. And while the vast majority of data breaches continue to be the result of financially motivated attacks, there is a marked increase in cyber-espionage campaigns that seek to undermine the stability of governments and corporations alike. In fact, as a sign that cyber-espionage campaigns will only increase in occurrence and severity, the U.S. military recently increased their resources for cyber-warfare by 20 percent up to $4.7 billion.
This level of preparedness begs the question: If the U.S. government has recognized the threat that cyber-warfare represents at the state level, why has corporate America not responded in kind with a similar level of preparedness and resource allocation?
Far too many companies, despite the complexities involved with data breaches, often take an approach to data breach preparedness that is too generic, relying on a broad suite of materials and communications that don’t reflect the true operating realities involved with these types of attacks.
In the midst of an attack and because these risks escalate instantaneously through social and other outlets, crises now erupt within minutes. Without a thorough readiness plan, it is simply impossible to manage breach communications as it unfolds, as events are assessed through a public magnifying glass from inception.
It becomes essential that a company not only focuses on their present reputational risk exposure but also protects their organization against future data breaches. Granted, some companies and industries, by nature of their business, are more on the front-line than others; however, there are several important risk-management principles relevant to all companies including:
- Future proof your organization: Organizations need to accept the idea that a breach is likely – and prepare accordingly by building both the mindset and capability to enable quick response.
- Recognize that not all data breaches are created equal: Communicating around a lost employee laptop with customer information is entirely different than if a hacker group attacks your electronic payment system. Preparedness needs to reflect this complexity.
- Identify your allies in advance of a breach: Can you quickly call an external PCI compliance expert? Do you have an IT security forensic expert who routinely audits your network for exposure? Does your PR agency understand the issue and is the agency ready to help you deal with the press calls that will come? It’s critical to identify that external network now and not in the midst of an attack.
At the end of the day, what is most at risk comes down to one word: trust. Those tasked with managing the reputational, operational and financial risks around a data breach need to be prepared to quickly and critically evaluate the threat they are facing and determine how best to navigate a path forward that protects the trust placed in their organization. Those neglecting this reality do so at their own peril and at the peril of the financial, operational and market impacts these breaches can cause.
Andy Liuzzi is a vice president and group manager of the Edelman Chicago Crisis and Issues Management team.
Image by Eric Fischer.