Six actions to make sure you’re ready when—not if—a cyberattack strikes.
“Beginning today, all passwords must include sign language, thumb fingerprints, and animal noises,” read a sign in a corporate office I visited recently. Unfortunately, contemporary cyber challenges extend way beyond password protection.
Among the most costly and troublesome matters facing boards today are crises created by cyberattacks and hacks.
As the Wall Street Journal noted in September, “Cybersecurity has emerged as a key business risk that threatens firms’ ability to operate or even survive, and boards face increasing pressure to ensure that cybersecurity risks are effectively managed.”
Cyberattacks cause data, privacy, and financial issues and countless organizations are just not prepared for the cost, operational, and reputation reach of these disruptions, nor C-suite time and resources drained addressing the cyber crisis.
“If it were measured as a country, then cybercrime—which is predicted to inflict damages totaling $6 trillion globally in 2021—would be the world’s third-largest economy after the United States and China,” reported Cybersecurity Magazine. Estimates suggest global losses could hit $10 trillion by 2025.
Cyber crisis response—before, during, and in the aftermath—demands innovative thinking, new skills, and contrasting approaches that match the breadth, depth, magnitude, and speed of today’s online world.
Much is revealed about leadership in moments of crisis. In the event of a cyberattack, companies must quickly determine what’s going on and how to neutralize it—and at the same time preserve corporate brand and reputation, employee morale, equity value, and sales. It requires grace under pressure and transparency. Those ill prepared will suffer far more than 15 minutes of global shame.
As former president Ronald Reagan said, “The greatest leader is not necessarily the one who does the greatest things. He is the one that gets people to do the greatest things.”
Understanding the Impact
There are three basic sources of digital attacks. All have reputational considerations and consequences.
Outside attacks. Crime syndicates or state actors; overseas competitors seeking theft or destruction; as well as ransom, extortion, retaliation, or denial of service.
Reputation attacks. Against brands, operations, or issues from activists or trolls seeking to disrupt; digital attacks on leaders or board members; an operational mistake, compounded by inept fact gathering and communications.
Internal attacks. Carelessness or intentional leaks by current, disgruntled, or former employees seeking retaliation for work issues, commercial espionage, or financial gain.
Our firm repeatedly sees that companies underestimate internal attacks. When law enforcement investigates cybercrime, they look inside first.
Are you prepared for a two-hour digital day?
Cyberattacks are a form of terrorism, and these disruptions drive fear and uncertainty and unsettle trust. During a cyberattack, constituents need assurance that the crisis is being skillfully overseen, and the organization’s leaders need to communicate at every level to face and direct change.
Speaking in Europe before two groups of board chairs and CEOs, I said, “In the face of today’s black swan events, last year’s thinking and crisis plans are ineffective and should be dragged into the trash icon. They will not be effective in today’s digital world.”
Cyberattacks do not usually occur during normal business hours. They happen at night, on weekends, or on holidays when companies have limited resources to deploy. Many would be surprised how few companies are prepared or trained for that scenario.
In my coauthored book, Digital Assassination: Protecting Your Reputation, Brand, or Business Against Online Attacks, we established a standard digital response process, as well as response time for digital harm of eight hours.
Today, that concept is crucial, as speed and magnitude have dramatically accelerated. We now face a two-hour digital day.
When assassins mount a public assault—something that must be acknowledged or answered—you really only have one or two hours for an initial response, as posts turn viral in today’s instant, mobile environment.
Countless corporate cultures and leaders, and notably their advisors, are simply not organized to operate at this warp digital speed.
Six Actions to Minimize the Impact of Cyberattacks
In addition to understanding these new dimensions of time, to minimize the impact of a cyber crisis and respond effectively, there are six effective actions that corporate boards and management should follow.
Who’s the boss? Appoint a C-suite executive to lead and train a company cyber-crisis SWAT team. Its mission is simple: be available to immediately respond to a cyber crisis 24/7/365. This team should predetermine obvious cyber-crisis scenarios and responses based on company industry and geography. It should include leadership from communications, human resources, investor relations, information technology (IT) , marketing, legal, operations, and sales. Outside resources should have broad experience in these areas and cybersecurity.
Reach out and touch someone. Not only are cyber jobs in high demand, but like most areas, there is a massive talent shortage. The Wall Street Journal noted in December that the cybersecurity talent gap grew by 26.2 percent over the past year, to around 3.4 million unfilled jobs worldwide.
Companies should align with a university that offers a major cybersecurity curriculum—through donations, participation, and research—to continually attract top talent and be on top of trends. In addition, encourage IT team members to participate in professional organizations that provide best practices, papers, and seminars on cybersecurity and report back about changing and trending issues.
Practice makes perfect. Perhaps the most important thing a company can do is conduct a tabletop exercise, led by independent professionals with broad experience in cyber crises. This exercise can identify weakness in command structure, knowledge of internal processes, and the complex and considerable impact of external forces brought on by the crisis. Unfortunately, many organizations focus only on the IT component, not how an attack will affect various constituents, as well as what and how you need to communicate.
Planning for cyberattacks and crises should include the CEO, chief financial officer, chief counsel, and the cyber-crisis SWAT team as noted above. Most who participate in these drills come away chastened, but confident that they are more prepared for an actual attack.
Vanquish evolving challenges. As Michael Bodson, who recently retired as president and CEO of DTCC, a global leader in financial markets, said, “It’s not just about stealing anymore. Concern and focus of boards and management today is to oversee and deploy resources not only to deflect nuisance hackers, but much more importantly, be prepared and defeat a new cybercriminal element, partnering with rogue nations, trying to disrupt economies and commerce, as well as create disorder.”
Another CEO interviewed noted, “No matter what the technology glitch, keep everyone away from the IT people. They do not need others looking over their shoulder asking, ‘What’s happening?’ while they are trying to fix the issue.”
Find a cloud to hide us. Like all business insurance, cyber insurance costs are skyrocketing and becoming more restrictive.
“Cyberattacks are on the rise in all industries, so cyber insurance must be a critical component of any corporate plan,” said Christopher Keegan, cyber and technology national practice leader at Brown & Brown, an insurance brokerage firm. “With an expert internal team and seasoned independent advisors, C-suites and boards must develop a clear understanding of how, to what extent—and for how long—cyberattacks or hacks could impact company operations. Another consideration is what level of insurance will efficiently minimize the financial impact from the most impactful attacks. Not so easy, as risk is ever-changing.”
Insurers will want in-depth information about company cyber policies and procedures. Businesses that can’t satisfy this greater level of scrutiny could face higher premiums and be offered limited coverage or refused coverage altogether.
And just to throw a monkey wrench into the insurance mix, Lloyd’s of London, the world’s leading insurance market, announced that after March 2023, it will not cover most state-sponsored cyberattacks.
Send in the lawyers. “Successful cyber-crisis planning is critical and interdisciplinary. One key ingredient is legal counsel as the company responds to a crisis and effectuates a multi-pronged response across the C-suite and other key sectors,” noted John Cleary, privacy litigation group chair at the law firm Polsinelli. “Particularly in cybersecurity, advance legal input, well before any incident, is essential to help a company adhere to regulatory requirements and legal standards, as well as ensure proper risk management to define customer, counterparty relationships and obligations.
“When a cyber crisis hits, the legal team should be deployed in key areas: confidential analysis of legal issues and potential exposures, liaison with law enforcement, regulators, and review of needed communications,” Cleary concluded.
Don’t Stop Thinking About Tomorrow
Cyberattacks are damaging, penetrating, and now frequent.
Attacks so far have been on single companies. But what happens when we have a multi-company or multi-industry attack on infrastructure, technology, or finance and big enterprises go down?
The cascading effect and disruption to people’s lives, the economy, and the business could be devastating. That’s why we must be continually knowledgeable and vigilant for our companies, as well as our personal lives.
Richard Torrenzano is chief executive of The Torrenzano Group, a reputation and high-stakes issues management firm. For nearly a decade, he was a member of the New York Stock Exchange management (policy) and executive (operations) committees.
NACD: Tools and resources to help guide you in unpredictable times.
Become a member today.