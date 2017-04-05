Co-authored by Angela Carmichael, senior vice-president,
senior partner and general manager of FleishmanHillard,
Toronto.
Our shift to a digital society has seen the emergence of a new
kind of crime: stealing data and attacking company networks,
whether for financial gain, to send a political message, or
sometimes simply to prove a point. Not surprisingly, this harsh
reality of our digital economy has made cybersecurity a significant
priority for organizations, senior management teams and corporate
boards across Canada and the world.
The financial costs to defend against cybercrimes are not
insignificant: According to Cybersecurity Ventures, it is expected
that companies will spend $1-trillion (U.S.) cumulatively over the
next five years on cybersecurity products and services. However,
spending to defend against the crime doesn't address the
reputational damage a data breach can have on an organization, or
the longer-term revenue implications that result if in fact a data
breach occurs.
A January, 2017, Leger survey commissioned by corporate
reputation consultancy FleishmanHillard showed that nine in 10
Canadians agree that if an organization or business were to have
lost, been a victim of theft or mistakenly shared personal
information, it would lose significant trust and credibility with
Canadian consumers. Moreover, 82 per cent of Canadians say that if
this were to happen, they would take their business to a
competitor.
So, while it's true that Canadian companies are increasingly
preparing for the financial, legal and technical implications of a
breach, many continue to overlook developing a communications
strategy, which is critical in the early hours and days of a breach
when it comes to protecting reputation over the short and long
term.
From a privacy and legal perspective, requirements are about to
change significantly for companies in Canada. In the very near
term, the federal government will be rolling out regulations that
implement key provisions to the Digital Privacy Act that relate to breach
reporting, notification and record keeping. In other words,
corporate Canada will be required to communicate much more
frequently with the Office of the Privacy Commissioner on breaches,
which will in turn have the right to request and review newly
required corporate security-breach logs at any time. Companies will
also be required to alert affected individuals in a timely manner
where the data breach could result in "significant harm,"
as well as any organizations, such as credit bureaus, that can help
reduce risks for individuals.
What this reinforces is that data incidents are not legal, IT or
communications problems exclusively. They affect the entire
business and require a multidisciplinary team comprising senior
leadership, IT, operations, communications, legal, HR and managers
responsible for stakeholder audiences such as investors, customers
and business partners.
Ideally, the team should work together before a breach occurs to
develop a cyberresponse plan comprising a communications strategy
that works in conjunction with an IT-response plan. Collaboration
avoids the one-sided approach often seen when organizations work in
silos resulting in a disjointed, inconsistent and delayed response
to issues or crises.
In thinking through threats to the business, the team should
identify organization- and industry-specific risk factors. For
instance, a retailer will tend to focus on breaches related to
payments and customer information, while a public utility will
focus on an interruption of service. Beyond the immediate impact of
a breach, the team should consider the longer-term consequences of,
for example, the loss of intellectual property, employee or
customer records.
Once the risks are established, it is imperative to align how
the organization will communicate with stakeholders. Timing should
take into account IT security and forensics timeframes, as well as
determining broad thresholds for notification to the Commissioner
and affected individuals. This will reduce the need for real time
decision making in an actual crisis, as well as inappropriate
responses.
Finally, ensure that your organization's first attempt at
managing a cybersecurity crisis is not during the real thing.
Practising in a controlled setting can identify flaws and gaps in
the process because what makes sense in the plan does not always
work in practise, and personalities can change in the pressure
cooker.
Just as there is no fail-safe method to preventing a
cyberincident, there is no foolproof way to managing an
organization's reputation in the midst of one. However,
recognizing the importance and value of preparation more often than
not goes a long way toward protecting the reputation that your
organization has worked long and hard to build.
Originally published by The Globe and Mail.
