Incident management is often seen as little more than the necessary, slightly depressing clean-up after a major cyber incident. But the way a CEO handles a hack could have a long-term impact on reputation that far outstrips the initial financial losses. Here Phil Chambers, COO at Metro Communications, offers expert insight into the common mistakes CEOs frequently make during cyber-attacks.
Last year, Uber’s reputation suffered not only because criminals accessed the personal details of 600,000 US drivers and 57 million customers globally, but because it paid ‘tame hackers’ to hide the breach. Criminals exposed the data, Uber exposed its own questionable ethics.
Interestingly, Uber CEO, Dara Khosrowshahi, seemed perfectly content with the organisation’s immediate technical response. For him, the key issue was about how the non-technical aspects were handled, particularly the fact that the company (under the leadership of its previous CEO) had failed to notify the regulator and hadn’t been ‘honest and transparent’ with its customers.
The way you communicate is crucial. Where a company fails to manage or communicate a data breach in a timely and transparent manner, the knock-on effects can be huge. Share prices may plummet, customers may stay away, insurers will quibble about pay-outs, fines from the regulator may be stiff, heads will almost certainly roll, and the costs of borrowing could increase.
Recent research by Pentland Analytics and Aon found that companies risked losing up to 30% of their value as a direct result of management behaviour in the immediate aftermath of a crisis, with impacts fuelled by social media and 24/7 news. In some cases, there is a fine line between mismanagement and criminality and accountable individuals who cross that line might find themselves being personally sued as UK regulators are increasingly making individual directors liable.
CEOs need to be clued up and plugged in to cyber security. A recent Mimecast survey of 800 IT decision-makers and senior executives found that a worrying 40% described their CEO as a ‘weak link’ in cyber security, with 20% saying that a senior executive sent sensitive data in response to a phishing attack.
They also have a role to play in ensuring that information security is treated seriously and brought centre stage across the whole organisation. Responsibility doesn’t sit with one person or group; accountability for data safety has to be shared right across the business and everyone has to play their part.
Smart investment in cyber security is essential. This isn’t about expensive kit, it’s about actions, for example penetration testing to check the integrity of the IT ecosystem as a whole, phasing out legacy systems that are no longer supported by security patches and securing mobile devices so that confidential communications about issues like intellectual property, finance deals and mergers aren’t carried out over hackable networks.
Effective leadership in response to a cyber incident demands ‘political’ skill. This is the art of managing information and communicating carefully and positively to contain a crisis. Full disclosure may not always be advisable, but to hide key facts that have major consequences for the finances and safety of customers, shareholders and other stakeholders is to seek to protect the company by betraying the people who keep it afloat.
A CEO with this political skill will:
- remain calm and appear in control at all times
- communicate key facts accurately and consistently
- be truthful about the scope of the breach
- focus messages on known facts and on the action being taken to contain the damage
- keep stakeholders updated about how they could be affected, what they can do to stay safe and any remedial action
- apologise to those affected
Even the world’s most sophisticated and well-defended companies have their weaknesses, but the CEO shouldn’t be one of them.