In my experience, while the legal profession has well thought through systems and policies to manage the legal elements of a cyber breach, there can be a dearth of ‘big picture’ thinking to bring focus to all the elements of a breach, particularly when it comes to the threat to an organisation’s reputation.
The old adage attributed to Warren Buffet – it takes 20 years to build a reputation and five minutes to lose it – can be rewritten for the digital age: it takes 60 seconds to lose it.
One of the key risk factors for the legal profession is an overconfidence in the organisation’s ability to successfully deal with a breach. By way of example, a recent survey showed that 88 per cent of in-house counsel rated their company’s ability to manage a social media crisis as ‘good or very good’ yet the same group estimated the average time it would take them to act was 38 hours.
In the digital age, news of a cyber breach often breaks on social media that equates to the speed of light! One of the realities of a planet, which boasts more than 7 billion mobile devices (more even than the number of people), is that information proliferates at an incredible speed.
Preparation (like always) is a key factor in successful execution
A key observation from numerous experiences at the coal face is that preparedness is a significant mitigant to the amount of damage done. The harsh reality is that organisations that do not have robust systems and policies in place usually find out far too late that they have been compromised and they lack effective plans to manage the response.
“There are two types of companies in the world: those that know they’ve been hacked, and those that don’t” – Misha Glenny, journalist and author on cyber security
In many cases, companies which have been breached find out about the breach from a third party, frequently customers or partner organisations, and this often manifests through negative social media posts.
Fifty-one per cent of organisations surveyed by the Australian Cyber Security Centre in April 2017 said that they tend to be alerted to possible breaches by external parties before they detect it themselves.
A credible social media listening tool should be a hygiene factor in the risk management planning of every organisation yet many organisations do not have such a tool in place.
There is now nowhere to hide
The mandatory reporting legislation, which comes into effect in February 2018, is a game-changer and will alter the landscape for legal firms and their clients. How organisations respond to a breach is about to become even more important, and there will be nowhere to hide.
Even if the news does not break on traditional or social media, these new reporting requirements mean that organisations will not only have to inform customers directly, but also the Office of the [Australian] Information Commissioner and make a public announcement online.
Handling communications around a breach
In my experience most organisations are woefully underprepared for the significant risks associated with a cyber breach, particularly how they manage the potential brand damage of a poorly handled response to a cyber attack that is vast.
It is critical for companies to have a plan in place that covers how to communicate with all stakeholders such as clients, regulators, staff and suppliers.
“ONLY 52 PER CENT OF ORGANISATIONS HAVE A CYBER SECURITY STRATEGY IN PLACE” – Grant Thornton report, 2016
Preparation is key. Many firms fail to have communications channels established so that they can reach all clients quickly. Organisations frequently (and rightfully) get criticised for failing to have adequate processes in place and therefore not alerting affected clients soon enough.
Consider how your clients would take this if their systems are compromised and they cannot use email – as DLA Piper found earlier this year when it was impacted by a ransomware attack and had to text staff and clients alerting them not to use email or landlines, only mobile numbers to communicate.
Importantly, providing regularly updated guidance on what customers should do if their information has been breached should be a key part of the communications strategy.
In our experience, bringing in third-party experts – such as independent security expert – is a vital strategy to cut through the obvious loss of credibility when an organisation has suffered a major breach and managed it poorly.
Managing media and social media
There is tremendous power in proactivity when it comes to communication. While each situation is different, as a principle we almost always advocate a proactive approach to informing all affected parties. Even if the mandatory reporting requirements are not applicable in particular circumstances, the risk that a client finds out through the media that there has been a breach at the firm will be considerably more damaging than if they have been informed upfront with an authentic apology from the firm.
While the legal requirements may be clear, handling the specific needs of each stakeholder group through rapid communications and tailored messaging forms an important part of the process. In our experience, it often requires direct communication from the CEO to appease affected customers. In fact, we have even had instances where handling customers well has attracted positive feedback from impacted customers.
Disgruntled customers or impacted parties who are prepared to speak to the media will always add fuel to the story. Customers speaking out add a new dimension to the coverage and can dramatically increase the impact.
A breach does not have to be a catastrophe
While cyber risk is a day-to-day reality, if it is handled rapidly and with due concern for all of the stakeholders involved, it does not have to be business threatening. Some upfront preparation gives a considerably higher chance of a successful outcome in limiting the reputational damage on the organisation, and given that a cyber breach is a matter of ‘if not when’, there is every reason to get started today.
Geoff Fowlstone is a principal at Fowlstone Communications. Geoff has an extensive background in corporate affairs, investor relations, investment banking and politics. He has held senior roles at Burns, Philp & Company, Gresham Partners and in New South Wales politics. Since establishing Fowlstone Communications in 1999, he has advised some of Australia’s largest public companies through very high-profile and complex issues in diverse industry sectors.