Cyber-crises are never ‘just an IT problem’  

Online data failures and ransomware attacks are emerging as leading deadly threats to reputation – yet some organisations still seem to be treating them mainly as IT problems. Tony Jaques explains why this needs to change

_{Cyber-crises can be damaging to reputations because they are so visible, make easy headlines and are perceived by many as being preventable. Image: Olhakostiuk/123rf}

While cyber-crises are nothing new, experts say they are increasing in frequency and scale. Consider the ransomware attack on Colonial Pipeline which shut down fuel supplies across the East Coast of America, and the attack on JBS Meats that disrupted 47 facilities in Canada, USA and Australia. Or the global impact of system failures in June this year at US-based cloud network providers Akamai and Fastly, which shut down thousands of companies across the world. 
 
Russian-linked hackers were reportedly paid $4.4 million by Colonial and $11 million by JBS. But for every ransomware case that makes the headlines, many small or medium sized companies prefer to keep their crises under wraps. Indeed, internet security expert Kaspersky has reported that more than half pay their hackers.       
 
There is a good financial reason to comply. In a notorious case in 2018, the City of Atlanta declined to pay a ransom of about $50,000. Instead, its recovery efforts cost more than $2 million on crisis PR, digital forensics and consultants. And in Australia, cybersecurity incidents overall cost businesses an estimated $29 billion every year.
 
However, the reputational risk is also high. Despite regulators and law enforcement urging the transparent reporting of cybercrime, organisations fear the possible impact of cyber-shaming on share value and brand trust. And they know a breach resulting in loss of consumer personal data can trigger a multimillion-dollar class-action lawsuit.
 
So why are cyber-crises so damaging to reputation?
 
They are so visible 
Although some organisations try to hide or minimise data failures and ransomware attacks, social media has made it increasingly difficult to avoid scrutiny.
 
So many people are affected 
The interconnectedness of modern business means some cyber-crises directly affect millions or even tens of millions of people. For example, when bank or supermarket systems go down and people cannot access their own money, pay bills or buy groceries, the impact is immediate and widespread.
 
They are such an easy headline
Cyber-crises are natural fodder for critical headlines and brand shaming, even though some of the world’s biggest news organisations were themselves brought down by the Fastly failure.
 
They are perceived as preventable
Regardless of the technical cause, and whether or not foreign agents are responsible, the reality is that – rightly or wrongly – it’s the big brands and household names that are blamed for failure to prevent the problem.
 
Too often, organisations fall back on default messages such as: “It was outside our control,” “We were just one of many companies involved,” or: “We regret any inconvenience.” These may seem tactically smart, but reflect little appreciation of the reputational damage involved. Look no further than the Commonwealth Bank, which attempted that approach but could not escape reputation-sapping headlines last month, highlighting the fact that its customers had suffered three system outages in just three weeks.
 
The challenge for issue and crisis managers is that customers often see cyber-crises simply as a failure of service. They will more likely blame their own supplier, not a previously unknown cloud-based operator on the other side of the world, or some anonymous Russian and Chinese hackers.
 
Moreover, judgement can be harsh. For example, one pre-pandemic survey across the USA and Europe found three-quarters of consumers would stop engaging with a brand online following a breach, and half would not sign up for an online service that had recently been breached.
 
As Deb Hileman, CEO of the Institute for Crisis Management, recently asked: "Is your business at risk for a Cyber Armageddon? Yes. What are you doing about it?"
 
Tony Jaques is an expert on issue and crisis management and risk communication. He is CEO of Melbourne-based consultancy Issue Outcomes and his latest book is Crisis Counsel: Navigating Legal and Communication Conflict.