The Role of Communications in Tackling Cyber Risks

Ryan Mellor

Large corporations are no strangers to cyber-attacks. For over 30 years, companies have worked to keep up with an increasingly interconnected world by strengthening their networks’ defenses and security infrastructure against external threats. While these concerns used to fall squarely on the shoulders of IT departments, today, the pace of technological advancement has placed Internet-enabled devices in the pockets and homes of the general public, blurring the lines between work and home, rendering employees key stakeholders in the cyber security efforts of their companies.

The COVID-19 pandemic has accelerated this technological dependence even further, underpinning  hybrid work models that are being adopted by SMBs and Fortune 500 companies, as well as encouraging the migration of previously manual tasks online. Though such reliance comes with great benefits for businesses and their employees, it has also left organizations more exposed than ever before to the risks posed by cyber criminals, who themselves are growing in number and sophistication at a faster pace than ever before.

Speaking on FleishmanHillard’s Cyber Security: Comms at the Ready webinar, Gene Yu, Co-Founder and CEO of incident response firm Blackpanda, pointed out that his company has observed a tremendous increase in ransomware attacks this past year, which eclipsed the illegal global drug trade in its scale. He also noted that the median ransom amount is climbing toward US$500,000. In the recent high-profile case of Taiwanese computer company Acer, reports indicated that ransom demands reached as high as US$100 million.

Given the size of the sums involved, Yu emphasized the importance of incorporating public relations experts as early as possible during a companies’ initial response efforts to swiftly craft a cohesive public facing message. In most cases, he noted, cyber-attacks are the result of underinvestment in proper security measures and there is a common misconception that organizations can recover from a breach without a significant impact. Comparing ransomware attacks specifically to the grave danger of finding oneself in a knife fight, Yu pointed out that companies should expect to get  hurt if they find themselves in this type of situation, and thus should have a plan to control the external narrative from the start.

After a company takes steps to recover and remediate vulnerabilities in their network, Yu emphasized that an investigation is a crucial step to gaining a better understanding of why the attack happened and how the organisation can prepare better to avoid a repeat incident.

Rachel Catanach, Senior Vice President & Senior Partner, General Manager New York at FleishmanHillard, echoed this sentiment, adding that companies need to prepare in advance: the more risks that are identified and anticipated, the better prepared a company will be. Such preparations should also consider how companies, when they own the customer or stakeholder relationship, should take responsibility for the situation, even when they are not directly responsible for the incident. Thus, assigning clear roles and responsibilities, knowing one’s stakeholders and vendors, and responding in a timely manner are key for facilitating smooth communications.

It is not just from cyber criminals that businesses need to aware, however. Globally, governments and regulators have started to implement more stringent cyber regulations, the most notable being the European Union’s General Data Protection Regulation (GDPR). James Gong, Partner at Bird & Bird, told the event that cyber security regulations are also a priority in China’s legislative agenda, but that there are important differences in how China is approaching it versus the EU.

Looking at the concept of “personal information”, for example, what constitutes “sensitive personal information” in China is broader than in the EU, meaning that even if a company is GDPR-compliant, they may not be compliant with Chinese law. Equally, China has a concept of “important data” that does not exist in other countries and usually refers to data that is considered to have a security and economic impact. Given such data can overlap with “personal information”, Gong advised the audience to do data mapping to identify what data falls under which category.

Getting such compliance wrong can have severe consequences – with violations of “personal information” laws potentially costing businesses 5% of return and barring violators from managerial positions in China, while falling short on data and cyber security laws could lead to a suspension of business.

It is for this reason that the panelists urged participants to be alert, and that good cybersecurity starts with culture: everyone has a role to play from the top down. Timely and transparent communications in particular is key to tackling such crises.

By Ryan Mellor, Account Director at FleishmanHillard Hong Kong