Protecting brand reputation in the wake of a cyber attack
The main way that most companies interact with their customers and clients is now online, so a reputation for cyber security is integral to doing business and their brand.
Every company has regarded the threat of an IT failure as one of its principal risks for some time, but fears about wider cyber problems such as a data breach and online fraud have shot up the agenda in the last 12 to 18 months.
Security high on the agenda
Andrew Griffin, chief executive of Regester Larkin, an agency that specialises in strategic crisis management, says: “The series of recent high-profile hacks and data breaches has bumped cyber resilience and preparedness up from an IT department-only issue to high on the executive team agenda.”
Emma Kane, chief executive of Redleaf Communications, a public relations agency, agrees: “Companies are increasingly concerned about the reputational damage that cyber crime can cause. It’s potentially incredibly damaging. In the most severe cases it can lead to a real lack of confidence in the integrity of a company and its ability to keep data safe.”
Johnny Hornby, founder of WPP-backed communications group The&Partnership, says the threats have also multiplied. “Today’s environment is radically different from that of just five years ago, when businesses were only targeted if they held a large and substantial prize,” he says. “Nowadays, opportunists armed with the digital equivalent of a set of lock picks and a crowbar may attempt an attack. So it’s critical that businesses of all sizes continually review the locks on their doors and the transparency of their windows.”
Companies have taken heed after watching three recent cyber crises unfold – the hacking of customer information at telecoms firm TalkTalk, a major e-mail leak at Hollywood studio Sony Pictures and a data breach at American dating website Ashley Madison. In all three cases, there was a knock-on effect on the brand, customers and clients, and the share price.
When TalkTalk’s website was hacked in October 2015, personal information belonging to more than 150,000 customers was compromised, although the breach was not as bad as it initially feared. However, the telecoms firm’s reputation took a pounding as it emerged that teenage hackers had breached the website with ease. TalkTalk’s share price fell and it lost customers.
Sony Pictures’ website and e-mail hack in November and December 2014 illustrated how cyber-security threats are also international, and potentially even state-sponsored, as North Korea was suspected of targeting the film studio in retaliation for a movie that lampooned the country’s leader Kim Jung-Un.
The leaked e-mails were embarrassing for Sony in Hollywood circles as they revealed that some of its senior executives had been privately bad-mouthing the stars and producers involved in some of its films. Parent company Sony’s share price fell nearly 10 per cent and, although it bounced back, Amy Pascal subsequently departed as co-chairman of Sony Pictures Entertainment.
Investors might be willing to forgive a single data breach, but recurrent problems at the extra-marital affairs dating website Ashley Madison forced its chief executive Noel Biderman to resign in August 2015.
Companies whose reputations are particularly vulnerable to any breach should conduct ‘war games’ to prepare for the various crisis scenarios that arise
He was already under pressure because details of the website’s 37 million users were stolen and dumped online, and then his personal integrity came under fire because leaked e-mails raised questions about his own marital behaviour. The share price of parent company Avid Life Media has halved since the data breaches emerged and Ashley Madison is facing the prospect of multiple legal cases.Other companies from the BBC to Twitter have seen their websites get “taken down” in recent years by a so-called distributed denial-of-service (DDoS) attack, where multiple systems flood a targeted asset, rather than try to steal information.
Mr Griffin says: “DDoS or a data breach can have significant commercial impacts on an organisation, including loss of customers, significant recovery costs, loss of intellectual data and service disruptions. But the impact can also be reputational.”
Little wonder, then, that many businesses are now keen to improve their cyber defences and to prepare for the next possible crisis.
Preparation, transparency and communication
Tim Burt, UK managing partner of Teneo Strategy, the international advisory firm, says businesses must conduct regular audits of security measures and adopt the latest protective digital tools. “Companies whose reputations are particularly vulnerable to any breach should conduct ‘war games’ to prepare for the various crisis scenarios that arise following a breach,” he says.
Mr Griffin points out cyber security “is often unfamiliar territory” in the boardroom. “It presents new and unique challenges, requiring different functions and teams, such as the advent of the cyber incident response team or CIRT, to collaborate and manage the complexities of a cyber response.”
Mr Hornby, who worked with TalkTalk during its recent crisis, says a cyber breach doesn’t have to be devastating for a company’s reputation. “Customers put their trust in brands, but customers also live in the real world and I think understand that new threats like cyber attacks will happen,” he says. “What’s key for a brand is how it deals with such an attack, and how openly and transparently it communicates with its customers. A big challenge nowadays is the 24/7 media agenda, which demands answers immediately. Cyber crime is often complex and the extent of it is hard to define in an instant.”
Mr Griffin agrees that it is critical to communicate clearly and quickly to protect a company’s brand and reputation. “If you are perceived to act too slowly or with uncertainty, you can quickly lose the trust of your stakeholders, including shareholders and customers,” he says. “The timing of your communication and notification to customers and regulators is critical in a cyber incident.”
He says a company should have three priorities which he describes as “containing the issue, putting their customers first, and positioning themselves as the authoritative source of information”.
The companies getting it right are the ones you don’t hear about – if you’re in the news because of a breach, it’s already too late
Ms Kane warns that a company needs to try to plan for every eventuality, including that a cyber hack or DDoS may knock out its own website or IT systems that are normally used to communicate. “Companies should prepare alternative channels for communicating to their stakeholders,” she says.
Experts also believe it is vital to conduct a post mortem in the wake of any cyber-security breach. As Ashley Madison showed, customers and stakeholders will not tolerate repeated problems.
Mr Griffin says: “Companies must undertake a post-incident review to ensure lessons are identified and learnt. While many organisations are now implementing cyber-crisis preparedness programmes, the cyber ‘plans and playbooks’ are still evolving. We are yet to see the textbook response to a cyber incident come to the fore. But with every crisis, new lessons are learnt.”
Mr Burt adds: “The companies getting it right are the ones you don’t hear about – if you’re in the news because of a breach, it’s already too late.”
Mr Hornby spends much of his time advising clients on their communications and reputation, but he also believes it is vital that his company keep its own house in order.
The&Partnership owns data subsidiary Rapier and Mr Hornby says it consistently reassesses its internal policies and systems to stay ahead of the curve on cyber security.
He has urged his own industry, advertising, to tackle the growing problem of ad fraud and fake views by computer robots. “It isn’t just about spend wasted on advertising that never gets seen by a human. Ad fraud damages brands,” he says. “It’s not hard to find examples of this – for all the work our industry does to build brands, it’s alarming how many of those brands’ content can be found on pornography and other deeply unpleasant websites.”
The battle against cyber crime is now an ongoing cost of doing business. As Mr Burt says: “Constant vigilance is required.”
CASE STUDY: TALKTALK
TalkTalk’s cyber breach in October 2015 has been carefully studied by other companies as a case study on what to do and avoid in a similar crisis.
The telecoms company’s chief executive Dido Harding impressed some observers because she led from the front in interviews in which she candidly warned that millions of her customers’ data could have been affected.
TalkTalk temporarily suspended its sponsorship of The X Factor on ITV and switched its advertising to alert customers about the cyber breach.
However, Ms Harding soon came under fire when it emerged it was teenage hackers, not sophisticated criminals, who had got past TalkTalk’s weak online defences and that the cyber-breach was not as bad as she had first suggested.
More than 150,000 customers were still affected, but the damage to brand and reputation was greater. The company’s share price fell by a third, it took a near-£80 million hit in costs and lost revenue, and 100,000 customers quit.
Tim Burt, UK managing partner of Teneo Strategy, says: “The company’s over-reaction, taking to the airwaves to claim it may have been a victim of cyber terrorism, exacerbated the consumer reaction.”
But Johnny Hornby, founder of communications group The&Partnership, which advises TalkTalk, believes the telecom company did the right thing.
“Even if there is short-term pain, it’s better to be open and transparent from the outset in the event of an attack,” he says. “Dido Harding’s response during the TalkTalk cyber attack was a great example of this. She responded quickly and openly to both her customers and the media, put her customers first and resisted the temptation to spin a story.”