Cybercrime: A risk worth your worry
by Josh Cobden, EVP at Proof Strategies & Iain Paterson, CEO of Cycura
Defence requires both technical and communications approaches.
Another day, another cyber-attack. News stories about companies brought to their knees by cybercrime have become so common we may tune them out as “other people’s problems.” Until it becomes our problem.
Perhaps most worrisome, the manufacturing sector is quickly becoming the top target of threat actors due to its increasing reliance on automation and digitization, the cost of shutdowns and the high dollar value transactions for materials and finished goods. Modern manufacturing facilities typically feature interdependent IT systems. If breached, cyber criminals have access to monitoring and control systems and designs, and even intellectual property. According to a 2020 study by PwC, almost one in five (17 percent) cyberattacks on businesses targeted the manufacturing sector, and a study the same year by security firm Dragos reveals ransomware attacks against manufacturing companies have tripled in the last year alone.
Sophisticated cyber tools like ransomware-as-a-service (RaaS) are now bought and sold on the Dark Web and a growing pool of tech talent is choosing crime as a career. According to a report by New Zealand-based software security firm Emisoft, over 3,000 Canadian organizations were hit with cyber ransom attacks last year, with an average cost of $US 1 million each for ransom, mitigation and downtime. And those are just the companies that report.
It’s time to get worried.
Organizations that want to avoid joining these statistics need to marshal their internal and external IT security, legal, HR and communications teams and consider the following five steps.
- Shore up your defence.
While cyberattacks are getting more sophisticated, most are the result of old, unpatched security vulnerabilities, human error (e.g weak passwords, falling for phishing traps) and the loss or theft of devices like laptops and hard drives containing data. These vulnerabilities can be reduced by a competent and empowered IT department, ongoing technical assessment of your environment, operational discipline and sound corporate policy. Consider consulting with outside experts who bring external experience and perspectives.
- Create (and communicate) a culture of vigilance.
IT security is everyone’s job, but stern directives from the boss and constant nagging from IT aren’t an effective approach to employee engagement. If your employees are getting sloppy with security, chances are they haven’t bought into the need to do better. A sound employee communications plan includes research, engagement measures, trust building and constant, positive reinforcement.
- Line up your partners in advance.
Cyber criminals don’t wait for an invitation, and historically will strike on a long weekend or in the dead of night. That means you need to line up your partners in advance so you can engage them quickly. These may include IT forensics consultants, breach coaches, legal counsel, insurance professionals, credit monitoring services, call centres and public relations firms.
- Define internal roles, responsibilities and protocols…then test them.
A data breach or ransomware attack can come swiftly and unexpectedly and requires many actions and decisions, often under pressure. Table-top exercises run by third party experts will stress-test your plans and ensure your team has the appropriate plans and resources to respond effectively.
Similarly, clear, consistent and regular communication is also essential. If you don’t speak up, others will step in to fill the void, and you may not like their take on the situation. In some cases, the media will be looking for comment, and regulators, shareholders and clients will be watching. Spokespersons should be identified and media-trained in advance.
- Identify your stakeholders and set up your channels of communications.
At the very least, a cyberattack can create minor inconvenience (e.g. temporary network outage). At worst, it can create financially crippling work stoppages, supply chain disruptions, fines from regulators, a customer exodus and long-term loss of trust. When your problem becomes other people’s problem, things go from bad to worse. That’s why it’s vital to identify who could be affected by your issue, and who else needs to know.
Knowing what to say to who isn’t much good if no one can hear you. A cyberattack can paralyze email and networks, so taking steps now to establish back up methods of communicating with your stakeholders is key. If social media become the venue for speculation and conversation about your crisis, having a presence (with followers) on those same platforms is vital if you want to weigh in.
And finally, don’t forget social media monitoring. Restoring trust will be compromised if others are spreading misinformation on social media that you don’t see, especially in under-the-radar platforms like subreddits, or gated communities like Facebook.
Should you be worried about cybercrime? Yes. But worrying won’t make the risk go away. By bringing together internal and external experts, you can worry a lot less.
Josh Cobden is an Executive Vice President of Proof Strategies, a North American public relations and crisis communications firm.
Iain Paterson is CEO of Cycura, a cyber security consulting firm, focused on Offensive Security practices.