Organisations that have been subject to cybersecurity threats and data breaches have been communicating on these incidents more swiftly than in the past when there was a tendency to hide. Now, companies are more eager and quick to “confess” raising the question is this driven by lack of shame or just the enormity of the issues that all companies and governments need to unite behind?
Stealing company data is almost a non-event when countries have been held ransom with potential attacks on national water supplies and the debate on the vulnerabilities of cyber warfare. Companies should be planning and preparing for such incidents – not if but when – and educate their staff and all other stakeholders in the digital eco-system on cybersecurity risks and threats.
As cyber incidents such as hacked devices, crashed websites and breached networks became more prolific, organisations slowly began to develop cyber incidence response (CIR) plans to counteract such occurrences. Avoiding large-scale cyber crises often comes down to adequate and responsible management of cyber incidents before, during and after they unfold. By preparing a robust cyber crisis management strategy, organisations can stay ahead of cyber-attacks, leaving them with more available resources to focus on their core business goals.
Any cybersecurity response plan must start with educating employees about the importance of prompt cyber threat reporting, investing in new technology solutions to secure and manage authorized access and implementing rapid response initiatives to shorten threat detection and response times.
According to a Gallagher poll, 60 percent of UK businesses have experienced cyberattacks or data breaches caused by human error. The poll commissioned by the global insurance company also revealed that as many as 3.5 million UK companies may have suffered losses as a result of human error.
Employees are also at risk of phishing attempts when they open links from untrusted sources. A CSO Online article estimates that phishing attacks account for more than 80 percent of reported security incidents with more than $15,000 lost every minute. A 2020 Cybersecurity Agency of Singapore (CSA) report indicated that phishing attempts tripled in 2019 from 2018 figures, and doubled during the 2020 Circuit Breaker. By training employees to look out for suspicious emails from unverified sources and do not open them, businesses can significantly reduce the number of phishing incidents linked to employee negligence.
While organisations take proactive measures to combat cybersecurity and phishing threats, they would do well to focus on improving communications with their clients far in advance of any incident. Customers and partners may be willing to concede that cyber attacks do and will happen, but they also want organisations to be accountable and responsible for taking every possible measure to manage these risks effectively. Furthermore, it is critical for clients to hear about such incidents directly rather than from third parties such as a news outlet which could be devastating to confidence and reputation. All forms of crisis communications and management come down to getting the bad news out quickly, effectively and to all impacted publics.
Recently Singapore Airlines delivered on its reputation for exemplary customer engagement and effectively communicated a cybersecurity breach to all its loyalty programme members. The company released a statement on 4 March regarding a cybersecurity threat against air transport communications and IT vendor SITA that saw the leak of personal information belonging to 580,000 Krisflyer members. Although this data was largely limited to frequent flyer membership numbers and tier status, there were some instances in which full names were illegally accessed. By communicating the breach quickly, assuring on the impact and taking decisive action, Singapore Airlines managed to retain the confidence and trust of their customers.
In light of the recent SolarWinds scandal, the Singapore government adopted a “zero-trust” cybersecurity posture to protect its networks against cybersecurity attacks. Although Minister for Communications and Information S Iswaran said that there were no indications that Singapore’s Critical Information Infrastructure (CII) and government sectors were affected by the SolarWinds breach, he recommended a more deliberate, targeted, and consistent cybersecurity strategy to strengthen the nation’s cyber defences against increasingly sophisticated threats. Additionally, Iswaran said that Singapore can and should take every effort in strengthening existing systems and learn as much as possible from prior incidents.
Last October, the voluntary Cybersecurity Labelling Scheme (CLS) was launched to regulate security features in consumer Internet of Things (IoT) products. Although the scheme initially applied only to WiFi routers and smart home hubs, it was expanded in Jan to include all types of consumer IoT devices and to encourage adoption, the Cyber Security Agency of Singapore (CSA) will waive all application fees for the first year. Currently voluntary, manufacturers of WiFi routers will soon have to meet mandatory security requirements before releasing their products onto the marketplace.
The scheme assesses and rates smart devices into four levels. To pass the first two levels, manufacturers submit a declaration of compliance along with supporting evidence. Apart from helping manufacturers differentiate from their competition, the CLS also incentivises them to develop more secure consumer IoT products that will improve security, raise overall cyber hygiene levels and better secure Singapore’s cyberspace. As CLS ratings are indicative of levels of cybersecurity provisions, consumers will be able to identify more secure products and be empowered to make more informed decisions on their smart home devices.
In 2012, the Philippines passed the Data Privacy Act to protect all forms of information. Apart from covering natural and juridical persons involved in the processing of personal information, the Act also applies to personal information relating to Philippines’ citizens and residents, as well as Philippines-related contracts and entities. Although the National Privacy Commission (NPC) has issued numerous warnings for privacy violations including ones relating to Covid-19 contact-tracing data, no parties have been fined or jailed for violations since the NPC was founded in March 2016.
In conclusion, there are many ways in which organisations can and should improve their cybersecurity response plans.
Firstly they can proactively educate their employees about cybersecurity awareness and their responsibilities; invest in new technology solutions and implement rapid response initiatives to shorten threat detection and response times. By communicating cybersecurity incidents and breaches to stakeholders and clients as and when they occur, organisations may be able to mitigate potentially devastating scenarios and consequences.
By learning as much as they can from past incidents, organisations can stay ahead of their peers in the cybersecurity game. Organisations must also stay up to speed with local and regional cybersecurity regulations and take every measure to strengthen their existing systems to differentiate themselves from their competition.
By addressing cybersecurity threats with speed and transparency, organisations can foster stronger trust and improved customer service.
Contact us to learn more about how your organization can turn cybersecurity threats into reputation-building opportunities. Reach us at enquiries@changemandate.tech.