Costly damage from cyber attacks can be devastating to companies that see revenue streams interrupted, stock prices dive and reputations smeared. Often, companies also face costly lawsuits and fines from regulators. The lessons the attacks reveal, however, can provide a silver lining in an otherwise very dark cloud.
Cyber risk is one of the downsides of the ongoing trend towards digitalization, and cyber attacks have become almost commonplace. But despite the widespread publicity around the attacks and the ensuing damage they cause, many companies, especially smaller ones, remain dangerously unprepared.
Companies in practically every sector of business are moving quickly towards digitalization through e-commerce, mobile payments, “big data” and analytics, the adoption of machine learning and other avenues. The more companies become dependent on information systems to control their production, distribution and other processes, the more exposed they become to cyber risk.
A few high-profile examples show how the damage from cyber attacks can bring some companies perilously close to disaster. In 2017, Maersk’s IT infrastructure was almost completely destroyed and several months of work were needed to bring operations back up and running. Two years later, Norsk Hydro’s systems were rendered dysfunctional, halting the company’s revenue stream for weeks.
Capital One reported a breach in 2019 that caused the bank’s stock to drop nearly 6% in after-hours trading and lose 13.89% over two weeks, Harvard Business Review reports. A hack at Equifax in 2017 caused its stock to fall from $142.72 to $92.98 in a week, with market share dropping significantly in the wake of the breach.
These incidents are among many others that illustrate the sometimes dire consequences of successful cyber attacks. Not only is business lost, but companies must also regain the trust of customers that may question their ability to protect sensitive information. That work is not done quickly and, in some cases, could take years.
Surviving a cyber attack means knowing first what not to do. It makes no sense to hide the details of a successful breach or make excuses that minimize the organization’s responsibility. Own up to the incident and begin the work to minimize the damage and recover.
The best reaction to a cyber crisis is through direct and honest communication that acknowledges accountability, is clear that the company and others are at risk and ensures customers and the public that the weakness that allowed the breach are being strengthened. Communications that clearly state that the company is working with the proper authorities is a critical early step in mitigating the crisis.
As John F. Kennedy was known to point out, the Chinese used two brush strokes to write the word “crisis” – one stands for danger and the other for opportunity. In President Kennedy’s case, he avoided a catastrophe in the 1962 Cuban Missile Crisis through quick, clear and direct communications with the Soviet Union. In the same way, organizations hit by a cyber crisis should not ignore the opportunity to improve the situation through well-thought-out communications and putting the right measures in place to prevent such attacks from materializing again and again.
Shoring up weak spots A cyber incident will reveal weaknesses where systems can be vulnerable. It is important to “walk the talk” that ensured the public that systems are strengthened. That means technical and organizational upgrades have to be put in place to protect data, employees and customers’ data and the resilience of the organization’s business processes, as well as to rebuild trust and help restore the company’s image and brand that may have been tarnished by an attack.
“Cyber attacks can take a heavy toll on your company’s revenue streams and reputation,” says Philipp Hurni, Cyber Risk Engineering Global Practice Leader, Commercial Insurance, Zurich Insurance Group. “When a cyber attack hits, take the opportunity to demonstrate true leadership - take accountability, apply lessons learned and shore up defenses to prevent similar attacks in the future. Nobody is safe from cyber attacks – but not learning from mistakes means failing.”
There are examples of companies that have found the silver lining in cyber events that have hit themselves or companies in similar industries and have implemented stronger, more sustainable cyber risk management practices. As cyber risk engineers, we have taken notice of work by companies to protect themselves better, in, for example, the following areas:
Cyber attacks can be a disaster for organizations that are ill-prepared to deal with it. But there are lessons to be taken from those who have survived a crisis and lived to tell about it. And when it comes to dealing with such critically important issues as protecting systems from criminals who can create havoc very quickly, there’s no reason why any company shouldn’t seize on the silver linings that could help them avoid potential disaster.
Visit our Cyber Risk product page
Global Risks Report 2020 Executive Summary (PDF)