It’s no longer enough for companies to just worry about protecting their organization’s perimeter. I recently sat down with Scott Radcliffe, FleishmanHillard’s leading cybersecurity expert, and he emphasized the need for organizations to focus internally as well as externally to protect from cyber-threats.
Not surprisingly, his suggestions align with recommendations that Greg Eskins, National Cyber Practice Leader at Marsh Canada Limited, and Imran Ahmad, cybersecurity lawyer at Miller Thomson LLP, have shared in our ongoing discussions about crisis preparedness and communications around a cyber breach.
Scott heads up the agency’s Cybersecurity Practice and has deep experience working with companies either experiencing a breach or preparing for one. Having worked with him on a related issue, I wanted to better understand his point of view.
How prepared, in your opinion, are most organizations when it comes to data breaches and cybersecurity?
I know most companies are at least thinking about data breaches and I believe there is a healthy mix when it comes to how prepared they are. At the same time, I’m frequently surprised by organizations you would assume have thought these instances through which, when an incident does occur, it becomes clear they have not. Luckily, the trends are pointing more towards companies that want to prepare. One reason is that many insurance companies are incenting policy holders to prepare for this sort of thing and give premium discounts if they have some sort of data breach response plan. Also, awareness of the overall threat is pushing organizations in the right direction.
How are organizations incorporating cyber-threat response plans into their crisis communications planning?
It really depends on the profile of the company and the industry it‘s in. Financial services companies, for example, are targeted all the time and communications doesn’t necessarily need to be part of each incident of fraud or malfeasance as it relates to customer or company data -- and clearly identifying what the thresholds would be to involve communications is something that should be well defined in advance. There are, however, different trigger points for where communications needs to be part of the conversation -- regardless of the industry. Those trigger points can very much depend on the size of the enterprise -- for example with a small business, any intrusion is a big deal. A lot of this is about having the right process and coming up with defined ways to approach the issue. Content is good but you can only do so much thinking ahead of time that will be applied to an incident. What has the most impact is making sure the right people are identified and aware that they need to be in the room or on the phone to help work through a response and come to a decision they can present to the organization’s leadership.
Is there a standard for when and how to communicate during a data breach?
First, it is important to note that there is a significant difference between an organization being compromised and when they become aware that they have been compromised. For instance, companies could have a persistent threat and be living with it for years and not know about it. A lot of this is driven by notification requirements and those requirements can vary by country and even more locally by jurisdiction. In Canada, new regulations are about to be implemented which will require diligence in communication. The compromise of names, social insurance numbers and addresses, as well as the sheer number of customers affected, can trigger requirement for notification. Laws, regulations, and the lawyers you will no doubt be working with in these situations will help define who and where and how you communicate. The role communications often needs to play is the voice of the customer.
Some questions to guide communications include:
- Is this response sufficient and fair?
- Will consumers believe that the situation is under control?
- Are we being clear about what we do and do not know? And are we setting expectations for when we will communicate next?
- Have we offered assurances to stakeholders that we have their best interests at heart?
What’s important to remember is that these questions will evolve throughout the incident, so the communicator’s work advocating on behalf of the customer is never done.
In your opinion, is our critical infrastructure at risk from cyber-attacks?
By my definition, anything connected to the Internet is at risk.
It is commonly said that all companies experience data breaches at some point -- can you speak to this. How often are they occurring? Are there types of companies or sectors that are targeted more than others?
The reality is that all large organizations are under constant threat. This is especially true in healthcare and financial services industries, but generally speaking – any organization should be prepared.
What is the most common form of data breach that companies should be aware of?
The most common form of data breach is employee error or malfeasance. Over 60 per cent of data breaches are because of employee actions and external hackers are taking advantage of this. More often than not it is caused by an employee making an honest mistake. They click on a link they shouldn’t and introduce malware into the system. The malicious actors are becoming more and more sophisticated as time goes on with how they go about exploiting this weakness. For instance, a technique called spear phishing -- not a broad blast, but customizing the attack to the individual. In essence, your weakest and most vulnerable point usually stems from employees compromising their own networks.
How big of a concern are state-sponsored cyber-threats versus threats from individuals? Is the threat of state-sponsored cyber attacks growing?
In some sense, it should be irrelevant to private sector organizations whether a threat comes from a state-sponsored or non-governmental actor. Private sector organizations don’t need to be worried about the geopolitical motivations of cyber attacks for the most part. They need to leave geopolitical decisions to their governments and law enforcement agencies. State-sponsored actors are potentially better funded and present a well-organized threat -- but from the perspective of a private sector organization, the results are largely the same. Companies should defer to their respective governments as to how to handle the diplomatic dynamics if attacked by a nation-state. Their primary concern needs to be about protecting their network and information. They can then report any relevant information to the government and law enforcement. Attribution is one of the hardest things to do after an attack and the risks of responding to an attack and directing that response towards the wrong entities should be far too high for any private sector organization. Who organizations should turn to specifically is different within every country, but let those who are properly equipped to respond through diplomatic, military intelligence or law enforcement channels handle it.
Are the biggest threats from outside North America?
The biggest threat is from inside your own organization. As organizational leaders, it’s critical to come to that realization so you can properly address that risk. It is a balancing act. You need to protect your organization, but you also don’t want to have an unwieldy network that’s incredibly difficult to use. The saying physician heal thyself applies here, so while it is important to stay vigilant against external threats, it’s equally important to make sure you’re taking steps to mitigate internal threats as well.
What are the most important things that organizations need to consider when they are developing a cybersecurity communications strategy?
Have a well-defined process for how decisions get made and who is going to make them ahead of any incident.
Exercise your incident response muscles in the most realistic way you can -- work through the plan and simulate an attack or breach. In the military they say no plan lasts past the line of departure and the team needs to be comfortable with working through this reality. Test your approach in a controlled setting. Immerse into a drill and test the processes you put in place and then you’ll be in the best position to adjust that approach effectively before you need to put it into practice in a real-world situation.
Educate users about threats and how they can be the best stewards of the organization’s network.
What are the top communications considerations organizations need to think about when they experience a data breach (e.g. misconceptions, inflammatory headlines, etc.)?
When an incident happens there is only so much you can do. Try to understand as many of the known facts as you can. Don’t get sucked into the battle of hyperbole and speculation, especially through the media. Don’t throw oxygen onto the fire. As facts become more apparent, assess what and how you need to communicate. Try not to change your approach. You can say: “we don’t know”, and it’s entirely appropriate to express empathy. Say “we will let you know when we find out” and do your best to maintain the balance between transparency and what you know.
What parts of an organization should be responsible for cybersecurity? How should they work together?
The people who need to be involved in almost any cyber situation are: legal, communications, the technical side, and finally someone tied into the relevant line of business. Some clients have a crisis manager -- this is a person who serves as more of a process manager and not someone involved in actively responding to an incident. Some sectors have their own requirements, for example in healthcare patient safety would be important to have represented. Be aware of having the right number of people and levels of seniority working on the response. They need to be active participants and you need to make sure it is a manageable group.