Cyberattacks don’t only happen at large companies. Of course, it's the big ones that make the headlines – JPMorgan Chase, Home Depot, Staples, Nieman Marcus, Target – but the truth is that cyberattacks can happen at any business, no matter the size.
This was one of the key takeaways at last year's User Conference. For one hour during our two-day event, a five-person panel, including a CEO, Information Security Officer, Lawyer, Journalist and Customer role-played an incident response scenario, and needed to determine a live course of action.
What was the scenario?
The panel session, titled “Incident Response: Your Response May Hurt More Than the Attack” posed the question – what would happen if actual professionals were faced with a data breach at a community based financial institution? They were vulnerable and were put to the test – in front of a live audience.
What were the results?
As the scenario unfolded, the bankers were scrambling to learn more about the breach, while the customer became angrier, and the journalist more aggressive. It quickly became clear that the title of the session made perfect sense – how you respond can hurt more than the attack.
The organization didn't know the extent of the cyberattack at the onset. All they knew was that one customer had fraudulent transactions on his account, and was very upset. As the financial institution scrambled to find out what happened, a journalist got wind of the story and published an article about the attack on social media. The article claimed multiple customers had confirmed they too had similar fraudulent transactions, and the story went viral.
As the panel proceeded, the bankers were forced to deflect questions about the severity of the attack and delay meetings with customers. People knew this community bank had been breached, but nobody knew the details. From an inside perspective, the professionals were trying to get the facts straight, comfort their customers, and fend off the press. From an outside perspective however, the bank looked guilty, and the breach looked severe.
What can you do?
Your business needs to be ready for a cyberattack, no matter the size of your organization. Furthermore, you need to practice. Nothing can replace the stress, fear and uncertainty of an actual security breach. Your risk management plan shouldn’t only be documented, but put to the test. This will help you account for things like lack of information, a persistent journalist, and living in the age of social media.
In addition to operational risk management steps – strong authentication measures, firewalls and well-trained employees – your organization needs a quality incident response plan. As shown during the panel, communication is often the first thing to break down following an attack. Even the best-designed plan can fail miserably due to a lack of communication. In this situation, the bankers were left in a panic and had many moments of frantic "calls" and hushed conversations, all because they weren't on the same page before the attack. The right plan will provide the answers before the attack even begins.
Why should you prepare?
Don't underestimate the threat of a cyberattack. According to Ponemon Institute's 2014 Cost of Data Breach Global Analysis report, the average cost of a cyberattack to a company is $3.5 million. Ponemon also noted that greater costs were directly related to a damaged reputation and loss of customer loyalty. There is a correlation between investing in cybersecurity and protecting the financial integrity of your organization and the happiness of your customers.
As shown at the WolfPAC User Conference, your response may hurt more than the attack. Risks facing both organizations and customers are on the rise and too few companies disseminate and test their risk management strategies. With the right incident response plan, you'll have the foundation you need to react accordingly, and your business will be better prepared to take control of the situation and mitigate losses to reputation and revenue.