This is not another article about how terrible cyber attacks are.
They are, undeniably so, but you’d be hard pressed to find someone who didn’t know that by now. Yet headlines and advice focus almost exclusively on the fear of a breach and its consequences. Business would be forgiven for thinking that either they will lose everything in the event of a breach or alternatively, that they are so inevitable they shouldn’t worry about them, falling into a state of learned helplessness. Neither of these options is accurate, and they certainly don’t help business to prepare for the reality of a cyber attack.
While we wouldn’t go so far as saying that a breach is good for business, there are upsides of good preparation that aren’t reported on, and preparing for them could be the difference between a good recovery and a bad one. Especially when the market will judge a business more on “how” it responds to a breach rather than that it was actually breached.
A web search of ‘cyber attack’ offers up page after page of disaster. Millions of dollars lost, enemy foreign states hacking government databases and energy grids brought down. It’s the stuff of spy novels.
Cyber attacks are prevalent. They, alongside data fraud and theft, occupy third and fourth place in the World Economic Forum’s top five likely global risks for 2018.1 The majority of chief executives surveyed in our annual CEO Survey say it’s increasingly keeping them up at night.
But unfortunately, the focus on wide-scale, far-reaching attacks and the media’s obsession with state-sponsored attacks, rather than the reality of organised crime, has the potential to discourage businesses from preparing the way they should. Executives shelve their worries, thinking they are too small to be preyed upon in such a space age world of cyber terror.
The reality, of course, is that every business must be prepared to survive the increasing professionalisation of cyber criminality. For instance, according to our recent Global State of Information Security Survey 2018: The Australian story report, cyber criminals are becoming so successful they’re franchising attacks out.
“We are now seeing Ransomware-as-a-Service, which allows anyone with a computer and internet connection to use ransomware kits so long as they pay a fee to the original creator or seller,” the report says.
Even so, there are positives for businesses that appreciate the realities they face and prepare accordingly. They look to not get hacked in the first place, sure, but accepting that it’s becoming inevitable that everyone will be at one point or another, it is in the preparing to be attacked that they find a positive differentiator.
Planning for cyber incidents should not solely be an exercise of avoiding negatives, as in its own way it can lead to many positives and be an enabler in winning back trust.
Consider customers, for instance. Millennials and the following Generation Z cohort are more willing than most to hand over their data freely. This trust given in return for better, more personalised goods and services. But in the event of a breach, that trust can be quickly revoked. Eighty-five percent of consumers say they will not do business with a company if they have concerns about its security practices, and 71% indicate they will stop doing business with a company for giving away their sensitive data without permission.
The flip side of these dramatic stats however, is that 88% of customers say that the amount of data they share with a company depends on how much they trust the business. That trust, if a business can earn and keep it, and the data that comes with it, will have an incredible advantage over peers.
The even better news is that there is a way to marry these seemingly conflicting truths – that trust is important, and that most companies are likely to be attacked – and that’s in the response.
As the PwC Consumer Intelligence Series report, Protect.me, spells out, “consumers are willing to forgive, but their trust can only be regained if companies implement real changes in the wake of a breach.”
The report stresses that, “although no one action will win back every customer, some measures are more likely to resonate with consumers – including compensation for victims, a detailed explanation of what happened, and a clear description of the privacy policies in place.”
For businesses then, being prepared to implement actions such as these, and to do it quickly and with transparency, will go a long way to how customers respond. Far from being an IT issue to be addressed in-house and played down in the media, it is in the experience of the breach and its after effects that there is a real opportunity to win customer loyalty and change the ‘stickiness’ of the negative narrative.
With 32% of customers willing to leave brands that they love after just one bad experience, (a still disturbing 24% in Australia), it is absolutely critical that business gets this right, perhaps even more so than being able to ‘patch up’ a hole in the defences.
There is economic profitability in being prepared, too. As we see with larger scale attacks, such as WannaCry and Petya, the chances of business competitors being taken down at the same time is increasing. Those with robust cyber security plans, and a resilience for weathering them, will be quicker to get back into operation – allowing them to capture market share from their less resilient competition.
There is no way to waterproof a company against an attack. With the increasing sophistication and criminalisation of the hacking community, it’s not a feasible goal to aim for. Water resistance however? That’s possible. And again, it all comes down to preparation and response.
Alarmingly, 44% of executives in our global security survey said that they did not have an overall information security strategy. Even more, at 54%, don’t have an incident response process. And many boards aren’t proactively involved in their cyber preparedness, even though risk falls squarely in their purview.
To be successful at surviving cyber attacks, businesses must build their resilience by enhancing their leadership and expertise in cyber security, ensuring that strategies are in place alongside equipment, training and tools, oversight and rehearsing for the inevitable – remember, it is how a business responds that’s important. They must also ‘dig deeper’ when it comes to uncovering risk in organisations – making sure key processes, such as penetration tests, threat, intelligence and vulnerability assessments, and active monitoring of information security are in place.
As our colleague and PwC US Cybersecurity and Privacy Leader, Sean Joyce, remarks, “many organisations need to evaluate their digital risk and focus on building resilience for the inevitable”.
Doing so will not only guard against risk, it will provide a path to reward.
As breaches become more common, it should not mean that business should regard their effect with less gravitas, however, their constancy should lead business to give them a different place in strategic planning.
As customers begin to judge business response to breaches more importantly than the breach itself, that response must be an intelligent one.
With honesty, deliberate and considered action, and the resilience to be able to give assurances quickly, business should be able to not only mitigate some of the fall out of a cyber attack, but also be able to differentiate themselves and build consumer trust.
To start a conversation or find out how we balance business understanding with technology innovation and human insight, visit the Intelligent Digital website.
© 2017 - Wed Jan 19 01:57:15 UTC 2022 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. Liability limited by a scheme approved under Professional Standards Legislation.