[BreachExchange] Protecting Your Reputation From Cyberattacks Isn't Impossible If You Do These 3 Things
Destry Winant
destry at riskbasedsecurity.com
Wed Nov 28 09:33:00 EST 2018
https://www.forbes.com/sites/ryanerskine/2018/11/28/protecting-your-reputation-from-cyberattacks-isnt-impossible-if-you-do-these-3-things/#1363b63924a6
Back in September 2017, the credit monitoring firm Equifax disclosed a
breach that exposed the personal information of more than 140 million
people.
The data breach soon turned into a public relations catastrophe,
causing major damage to the credit brand’s reputation. Equifax’s Buzz
Score -- an indication of how negative or positive people feel about a
brand -- fell 33 points in the first 10 days after the hack was
publicized. For context, that’s a 44 percent larger Buzz decline than
the one Chipotle Mexican Grill suffered in October 2015 after its E.
coli crisis.
Even the best customer service in the world won’t matter for a brand
with a damaged reputation. Within the first week after the breach,
Equifax lost four billion dollars in stock market value, and its costs
directly associated with the breach totaled an additional $439 million
by the end of 2017.
Equifax isn’t an exception -- cyberattacks attacks are happening, and
with a vengeance. CenturyLink, in its 2018 Threat Report, revealed
that it tracked 195,000 threats, on average, every day. In fact, by
2021, cyber researcher Cybersecurity Ventures has estimated the
world’s annual cost of cybercrime to be $6 trillion.
In the meantime, compliance with new online regulations continues to
be a challenge and many are still adjusting to the new normal created
by the European Union’s General Data Protection Regulation.
Coming out of National Cybersecurity Awareness Month and into the new
year, it’s a good time to step back and think carefully about why
beefing up cybersecurity and regulatory compliance may be one of the
most important steps a company can take to protect its reputation.
Here are a few simple rules to keep in mind.
Speak In A Language That Motivates And Makes Sense
Team members whose jobs are not centered on compliance -- customer
service or sales, for example -- may be tempted to circumvent
cybersecurity best practices as they go about their day-to-day jobs.
When security efforts cause additional work that distracts from
primary tasks, it’s easy to understand why employees will choose
noncompliant behavior. They essentially opt for efficiency over
security.
An effective way to help employees fight that temptation is to focus
on the value behind prioritizing these efforts and the reasons why
doing so will positively impact their individual job functions.
For customer-facing roles, for instance, it might help to ditch the
jargon and simply explain that regulators are enforcing these new
rules because consumers demand them.
David Wagner, president and chief executive officer of Zix, an email
security company, explains that value: “Most adults have fallen victim
to a data breach and are increasingly appalled by how companies misuse
their personal data. [They] want to work with companies that can prove
they take data protection seriously.”
Making cybersecurity and compliance part of everyone’s primary
function -- and explaining it in a way that employees understand --
goes a long way toward remaining compliant and gaining customer
confidence.
Be An Example For Your Team
Cybersecurity isn’t just an issue for IT. Every single employee can
affect a company’s level of security depending on what they do -- or
don’t do -- as they carry out their day-to-day responsibilities.
Cybersecurity is every employee’s responsibility. But employees are
unlikely to prioritize cybersecurity and regulatory compliance best
practices if leadership doesn’t set a good example.
One way to keep motivation high is to find ways to incentivize those
who follow or support a culture of cybersecurity. Companies that send
out weekly cyber tips emails might reward those who read them by
entering those employees into a gift card raffle. Gamifying
cybersecurity awareness can be as simple as offering prizes to those
who complete supplemental security training programs, report phishing
messages, and engage in other pro-security activities.
Experts suggest employing a rigorous patch management system to keep
track of which employees are installing software updates and which
ones are falling behind. But while there may be consequences for those
who fail to keep up with recent patches, try to find opportunities to
publicly praise those who are practicing good security hygiene.
Know Where You’re Vulnerable
No two businesses have the same exact cybersecurity risks and threats.
Assessing those risks first allows a business to address its most
critical vulnerabilities -- and keep existing systems as efficient as
possible -- rather than attempting to prioritize all cybersecurity
efforts at once.
To start the process, some businesses hire third-party companies to
conduct the risk assessment, although that can be expensive. Others
decide to complete that assessment in-house, though it’s worth
considering that some industries requires special certifications that
only specialists can provide.
Depending on the risk assessment, common next steps include exposing
employees to online phishing simulations, scanning websites and
networks for vulnerabilities, and securing physical devices.
Most cybersecurity practices, though, are only as effective as the
employees who enact them. Keeping hackers at bay ultimately comes
down to both identifying risks and consistently defending against
those risks. Only companies who do both will have the best chance of
keeping cyberattacks -- and damaging PR catastrophes -- at bay.
More information about the BreachExchange
mailing list