Last year was cyber-scary. On average, hackers attacked computers with internet access every . Businesses experienced ransomware incidents every . Almost expressed worry that a cyberattack on their company is not just likely, but inevitable.
In 2020, the cyberscape doesn鈥檛 look any less intimidating for organizations across the economy 鈥 and, more specifically, for their communicators. Edelman鈥檚 U.S. Data Security & Privacy Group recently did an informal survey of our clients to find out what keeps them up at night about cybersecurity. There鈥檚 plenty.
How can brands best prepare for IT risk through the year ahead? Here are three recommendations, which you might think of as belated New Year鈥檚 resolutions:
Resolution #1: While 鈥渂reach fatigue鈥 may numb organizations to the risk of cyberattacks, don鈥檛 be caught 鈥渇atigued鈥 when it comes to preparedness.
Because breaches are so common, companies may see little use in mounting strong defenses against an attack; at this point, they鈥檙e 鈥渂reach fatigued.鈥 Still, almost 90 percent of clients we surveyed say they are more concerned about data security and privacy today than they were five years ago. And more than half of client respondents ranked 鈥渢he big breach鈥 as the privacy/security risk they are most concerned about. Ransomware and infrastructure hacks ranked top of mind for our clients for good reason: Experts predict cybercrime will increasingly become a weapon of choice for antagonistic nation-states, while hackers are continuing to target under-resourced organizations and municipalities with ransomware.
Establishing plans and processes for responding effectively to disruptive data breaches and security incidents is now table stakes for organizations. Federal agencies like the Department of Homeland Security have stepped up their efforts to educate and prepare utility companies for worst-case-scenarios. But a plan alone is not enough 鈥 conducting tabletop exercises and simulations is critical to testing the effectiveness of these tools. Unfortunately, more than are still not testing their incident plans regularly.
Resolution #2: Beyond 鈥渢he big breach,鈥 organizations must be more prepared to communicate about issues related to data usage and privacy.
Nearly half of clients we surveyed say they feel very prepared to respond to a big breach. At the same time, nearly 20 percent said they are not at all prepared to respond to questions about ethical use of technology, and nearly two-thirds of clients replied that they feel only moderately prepared to respond to scrutiny on privacy and data use issues.
While most clients have a privacy policy in place, few brands have made communicating about privacy policies a priority or in a way that resonates with consumers. Only one-third of clients we surveyed have a privacy policy posted to their website in consumer-friendly terms. (Think of the 鈥渢erms and conditions鈥 agreements you鈥檙e asked to check all the time.)
One cyber attorney I spoke with recently discussed the difficult communications balance organizations face when it comes to privacy disclosures, especially under Europe鈥檚 GDPR requirements and the California Consumer Privacy Act, which took effect in January: 鈥淥n the one hand, companies鈥 privacy policies need to be detailed and encompassing of all of the various required aspects of these new and evolving regulations. On the other hand, these policies can then quickly become too long and cumbersome for consumers to read and understand.鈥
Organizations should focus on crafting an enterprise privacy narrative and positioning platform that balances legal/regulatory and reputational imperatives around communicating to consumers in the clear and transparent manner they demand of brands today.
Resolution #3: Communicators must enhance the readiness of their CIOs/CISOs to be the face of their organizations鈥 cyber communications response.
Few organizations have invested in equipping their CIOs/CISOs to communicate with regards to data security issues, possibly because the job of a CIO/CISO in the wake of a breach can be insecure (Exhibit A: Capital One). While the majority of client respondents say they have a cybersecurity crisis communications playbook and undergo crisis-training exercises, only one-third of clients we surveyed have a CIO or CISO who has been media trained.
Before a significant cyber incident makes this too little, too late, companies should invest in media/communications training for CIOs/CISOs to assess their potential spokesperson abilities, and to educate technical experts in the organization on the reputational considerations involved in cyber incident response. This is important for ensuring organizations have a bench of spokespeople to potentially leverage depending on the severity or scope of the issue and its impact on the brand.
Jamie Singer is senior vice president, Crisis & Risk, U.S. Data Security & Privacy Group.
