editor’s question
CHRIS MILLER,
REGIONAL
DIRECTOR, UK
AND IRELAND AT
RSA SECURITY
W
hether it’s
Facebook losing
US$13 billion
in market value
after disclosing
a breach that
impacted 50
million accounts; TalkTalk losing 101,000
customers and footing a bill of around
£60 million after customer details were
accessed; or the GDPR-related fines
handed to the likes of British Airways and
Marriott International, it is safe to say that
poor cybersecurity can certainly have an
impact on a company’s reputation.
To understand the impact that
cybersecurity can have on a company’s
reputation, we need to take a step
back and understand how the role
of cybersecurity has evolved in
recent years as a result of Digital
Transformation and the rising customer
expectations that have fuelled it.
While Digital Transformation has
delivered huge amounts of value to
28
customers, businesses and their
employees, it has also created
new digital risks which transcend
organisational silos. In short, they
are not IT or security risks; they
are business risks. As a result, it is
impossible to manage reputations
without also managing your digital risks;
the two are intrinsically linked.
However, this is not to say that
suffering a data breach will tarnish
your reputation forever. Often, it is not
the breach itself, but the response to
the breach that can determine how
the event will impact a company’s
reputation. This is why the best way
Often, it is not the
breach itself, but
the response to
the breach that
can determine
how the event will
impact a company’s
reputation.
to limit reputational damage is to
thoroughly prepare for this eventuality
as part of a wide-reaching and thorough
cybersecurity strategy, which not
only looks to prevent attacks but also
ensures they are managed well when
they do happen.
A key component of this preparation is
setting out a breach response plan so
that if the worst does happen there is
a clear set of procedures to follow. Key
things to consider include:
• Cross-organisational input: CISOs
should devise their response strategy
alongside the chief compliance
officer and the director of investor/
public relations, as this will build
a better picture of the wider
ramifications a breach can have on
the business
• Full remediation: Security teams
should ensure they have the right
capabilities to ‘rewind the tape’ to
see exactly what happened in the
wake of a breach – i.e. what data
has been impacted, what systems
have been accessed and so on – so
that they can provide meaningful and
accurate updates to customers as
needed. This could mean access to
tools that provide this level of insight,
or the use of services from external
Incident Response teams
• Transparent and timely reporting:
If a security incident is reported in
vague terms, six months after it took
place, this can seem as though a
company is withholding information.
Communicating effectively
with customers, partners and
shareholders every time a security
incident happens means trust is
maintained and reputational damage
is reduced
Companies are always going to face
cyberattacks, but having a robust
approach to cybersecurity, including a
well-thought-through breach response
plan can help guard reputation, by
helping them get back to ‘business as
usual’ as soon as possible.
Issue 19
|
www.intelligentciso.com