[Editor’s note: The below article, originally published in the Managing Outcomes newsletter, is an excellent look at the hot topic of cybersecurity from our colleague and frequent contributor Tony Jaques.]
2014 was a landmark year for cybersecurity, which saw a real change in reputational risk for corporations and other organisations. It also reinforced once and for all that hackers and data breaches are never “just an IT problem”
The year began with US retailer Target admitting that hackers stole personal financial details of up to 70 million people in a pre-Christmas raid, and the World Economic Forum in Davos declaring cybersecurity a major global risk. And the year ended with hackers compromising the details of 83 million accounts at JP Morgan Chase, making it one of the biggest data breaches in history, followed by the utter debacle of the Sony hacking attack and North Korea threatening retaliation over a supposedly funny movie about the assassination of Kim Jong-Un.
Of course cybersecurity is nothing new. Yet a frightening catalogue of similar events in 2014 helped moved the focus from firewalls and criminal penalties and technical solutions to corporate crisis response and reputation management.
Organisations which are the victims of hackers are routinely criticised for poor online security; for failure to take proper measures; and for slow or inadequate communication to affected parties. But the cyberattack on Sony and its decision to withdraw the movie “The Interview” in the face of North Korean threats moved cybersecurity onto front pages around the world and mobilised a new crowd of stakeholders and commentators, including film-stars, free speech advocates, and politicians right up to the White House.
It’s ironic that all this attention should be generated by a movie which film critic Scott Mendleson called a “below average comedy” on his list of top ten most disappointing movies of the year. While Sony eventually authorised a limited release of the film, a conga-line of self-appointed experts have attacked every aspect of the company’s response – for giving in to threats; for potentially endangering the lives of moviegoers; for undermining free speech and for making the movie in the first place.
Although the facts of the case have still to be fully resolved, issue and crisis managers everywhere should take note that cybersecurity has now well and truly moved to centre stage as a crisis risk. It has always been true that how an organization responds to a crisis can be a far greater risk than the crisis event itself and can endanger the reputation of the whole enterprise. As the Sony case shows, this is certainly true when it comes to a cyberattack.
The CEO of Sony admitted his company had “no playbook” for how to respond, but he argued that his firm was “adequately prepared” but “just not for an attack of this nature,” which he said that no firm could have withstood. Maybe he deserves some sympathy, but the reality is that many organisations are still focused mainly on technical solutions and are not prepared to manage a cybercrisis at a management level.
And the threat is not confined to American corporate giants. A recent report showed that Asian countries are seen as the most likely targets of cyber-attacks in the world, and a study of Australian small to medium businesses showed that more than half have no risk plans or strategies in place in the event of a crisis.
Cybersecurity clearly now rests firmly in the executive suite, and the birth of a New Year seems like a great time to start getting prepared.
Tony Jaques manages Australian-based issue and crisis management consultancy Issue}Outcomes, and is the author of Issues and Crisis Management: Exploring Issues, Crises, Risk and Reputation.