Last year was cyber-scary. On average, hackers attacked computers with internet access every 39 seconds. Businesses experienced ransomware incidents every 14 seconds. Almost half of power and utility CEOs expressed worry that a cyberattack on their company is not just likely, but inevitable.
In 2020, the cyberscape doesn’t look any less intimidating for organizations across the economy — and, more specifically, for their communicators. Edelman’s U.S. Data Security & Privacy Group recently did an informal survey of our clients to find out what keeps them up at night about cybersecurity. There’s plenty.
How can brands best prepare for IT risk through the year ahead? Here are three recommendations, which you might think of as belated New Year’s resolutions:
Resolution #1: While “breach fatigue” may numb organizations to the risk of cyberattacks, don’t be caught “fatigued” when it comes to preparedness.
Because breaches are so common, companies may see little use in mounting strong defenses against an attack; at this point, they’re “breach fatigued.” Still, almost 90 percent of clients we surveyed say they are more concerned about data security and privacy today than they were five years ago. And more than half of client respondents ranked “the big breach” as the privacy/security risk they are most concerned about. Ransomware and infrastructure hacks ranked top of mind for our clients for good reason: Experts predict cybercrime will increasingly become a weapon of choice for antagonistic nation-states, while hackers are continuing to target under-resourced organizations and municipalities with ransomware.
Establishing plans and processes for responding effectively to disruptive data breaches and security incidents is now table stakes for organizations. Federal agencies like the Department of Homeland Security have stepped up their efforts to educate and prepare utility companies for worst-case-scenarios. But a plan alone is not enough — conducting tabletop exercises and simulations is critical to testing the effectiveness of these tools. Unfortunately, more than half of organizations are still not testing their incident plans regularly.
Resolution #2: Beyond “the big breach,” organizations must be more prepared to communicate about issues related to data usage and privacy.
Nearly half of clients we surveyed say they feel very prepared to respond to a big breach. At the same time, nearly 20 percent said they are not at all prepared to respond to questions about ethical use of technology, and nearly two-thirds of clients replied that they feel only moderately prepared to respond to scrutiny on privacy and data use issues.
While most clients have a privacy policy in place, few brands have made communicating about privacy policies a priority or in a way that resonates with consumers. Only one-third of clients we surveyed have a privacy policy posted to their website in consumer-friendly terms. (Think of the “terms and conditions” agreements you’re asked to check all the time.)
One cyber attorney I spoke with recently discussed the difficult communications balance organizations face when it comes to privacy disclosures, especially under Europe’s GDPR requirements and the California Consumer Privacy Act, which took effect in January: “On the one hand, companies’ privacy policies need to be detailed and encompassing of all of the various required aspects of these new and evolving regulations. On the other hand, these policies can then quickly become too long and cumbersome for consumers to read and understand.”
Organizations should focus on crafting an enterprise privacy narrative and positioning platform that balances legal/regulatory and reputational imperatives around communicating to consumers in the clear and transparent manner they demand of brands today.
Resolution #3: Communicators must enhance the readiness of their CIOs/CISOs to be the face of their organizations’ cyber communications response.
Few organizations have invested in equipping their CIOs/CISOs to communicate with regards to data security issues, possibly because the job of a CIO/CISO in the wake of a breach can be insecure (Exhibit A: Capital One). While the majority of client respondents say they have a cybersecurity crisis communications playbook and undergo crisis-training exercises, only one-third of clients we surveyed have a CIO or CISO who has been media trained.
Before a significant cyber incident makes this too little, too late, companies should invest in media/communications training for CIOs/CISOs to assess their potential spokesperson abilities, and to educate technical experts in the organization on the reputational considerations involved in cyber incident response. This is important for ensuring organizations have a bench of spokespeople to potentially leverage depending on the severity or scope of the issue and its impact on the brand.
Jamie Singer is senior vice president, Crisis & Risk, U.S. Data Security & Privacy Group.