Cyber-attacks make headlines on a daily basis. And with data becoming a new currency in itself, and the ambiguity of cloud storage and mobile access there is virtually no organisation which does not have to consider its approach to cyber security.
Consumers are almost powerless to stop these attacks happening, and the reputational damage could be huge.
Yet the fines and consequences are still not making a big enough impact on corporates, as many simply accept the potential risk rather than addressing it.
By failing to prepare, you are preparing to fail
For one thing, disclosures still take too long.
Equifax was breached back in July but it was only disclosed in September.
This means consumers are being exposed for longer than necessary, which leads to a culture of mistrust.
Almost without exception, all companies that have been breached issued a statement from the board that reassures investors and the market that security and data protection is taken very seriously or is a top priority.
In truth, however, it only becomes a top priority after a breach.
Easy steps ahead of GDPR
The implementation of GDPR is just round the corner, and it has real teeth that need to be taken seriously by companies.
Businesses will find themselves having to pay regulatory fines on top of managing damage to customer relationships, limiting negative press around the brand and tackling inevitably strained stakeholder relations.
GDPR is not just applicable to EU companies but any company in the world that trades with the EU and the first company to fall foul of the regulation should expect to be made an example of.
Organisations need to focus on playbook driven approaches and embrace true security analytics, concentrating their efforts on protecting the data and entities and access that would cause the most significant damage to the business.
Enterprises must also get smart about integrating their security solutions. It’s key to collect the right logs from the right devices at the right logging levels, however, this only provides a post-event view. In order to be effective, it has to be integrated with threat intelligence and business context in order to create a true picture of the state of the enterprise and deliver the situational awareness necessary to combat today’s advanced threats.
There must be a clear and well-rehearsed incident management plan for an incident or breach, addressing internal and external communication in addition to containment and recovery activities.
Companies big and small have a duty of care in handling personal data and should take appropriate measures in line with local legislation, especially with the GDPR coming into force soon.
However, companies should not purely focus on compliance as the driver, good risk management practice will enable businesses to achieve compliance while at the same time strengthening their broader security posture. In this way, security improvements are embedded into the business and the tick box mentality which has dogged so many regulations in the past will be avoided.
Given the critical nature of IT within the digital world that we live in today, this approach will help us to protect the very fabric of the services that we depend on as a nation.
To answer the headline question: no, being the victim of a cyber breach does not mean the end of good customer relations.
The way a company reacts to cyberattacks, however, can play a pivotal role.
While implementing best practices, training employees and investing in preventative measures can significantly decrease the risks of becoming the victim of a cyberattack, companies must understand that their attitude after the incident is what matters the most to customers.
Honesty, openness and quick reactions can sometimes make the difference between losing customers or strengthening relationships.
Latest posts by Rob Lay (see all)
- Cyberattacks – the end of a good customer relationship? - January 17, 2018
- Why action, not reaction, is the key to cyber security - December 15, 2014