Can you buy reputation? Sure you can—who hasn’t clicked on a 5-star item on Amazon with hundreds of (questionably real) reviews? But in times of crisis, that’s a much harder sell. How will you handle a crippling cyber attack? Have you done all you can to minimize the chances? Are you prepared when it’s not a matter of if but when?
What’s at stake for your business
Damage to your reputation can cause a severe blow to your business. The setback is often financial, accompanied by a deluge of negative press. Your stock price might drop, your customers might drop you, and you might also lose your job. Investors aren’t sure you’ll succeed, customers don’t trust your ability, and your boss doesn’t want a part two. Confidence, once lost, can be difficult to earn back.
Equifax, for example, suffered a blow from a breach in 2017 that affected over 145 million Americans. Cyber attackers gained access to a server, uncovered login credentials, and gained access to names, birthdates, and Social Security numbers under the pretense of trusted insiders. After disclosing the breach, Equifax poured fuel on the fire; they created a website for customers to check if they were among the 145 million affected, but this new website violated basic cybersecurity best practices: flawed encryption and a questionable domain that got it blocked as a malicious website for phishing.
Some breaches will escape the news, but they will prove fatal. You may never have the chance to develop the reputation you envisioned. Suppose you’re part of the high-risk category where success depends on the unique products you develop. In that case, you must take extra measures to protect your proprietary information from insiders who could leak your competitive edge and reason for business.
How to avoid damage to your name
Not all news is bad news, however. If you play your cards right, you can maintain and even improve your reputation post-cyber attack. Target suffered a breach in 2013 where cyber attackers stole 40 million credit and debit records of customers, promptly selling the information on the black market online. Target’s brand took a major hit, but they acted swiftly and led the retail industry in adopting credit card chip technology. Based on their stock price now, they seem to be doing well.
Conquer insider threats through prevention
The first strategy is to minimize the chance of a cyber attack occurring. In an environment where the most common initial attack vectors include phishing of well-intentioned insiders and the acts of malicious insiders, insider threat security is not to be ignored. This prep work won’t win you awards, but when the time comes, you can confidently say that the company prepared the best way it could.
If you don’t have solutions built in place yet, consider a quick-win strategy that covers these three areas: your data, your people, and your culture. To protect critical data, you can start with access control and move toward Data Detection and Response (DDR); to detect unusual behavior, you can start with privilege escalation and move toward User Behavior Analytics (UBA). Ensure that you build a competent team to get the most out of your implemented technology. At a foundational level, you can improve your culture by moving toward an environment of trust and accountability.
Manage a crisis effectively
With insider threat solutions in place, you can minimize the chances of cyber attacks and prepare yourself for the inevitable. Every company will face setbacks, but what makes your company one that customers should trust? These principles will guide you in times of crisis to keep your reputation intact:
- Be transparent. Admitting that something happened will help gain trust from your customers and investors. Don’t bury the truth, and please—don’t pay hackers to cover it up.
- Be prepared. No cybersecurity measure is 100% effective, but you do need to prove you tried. Researchers at MIT Sloan found that you can save your reputation by clearly conveying your company’s existing investment in security.
- Get better. You can improve your reputation post-crisis by learning from what happened and communicating your solutions. No one is expected to be perfect, but great companies are expected to evolve for the better.
Getting better requires identifying what happened, and finding the balance between solutions and ease of business operations. Some solutions are more obvious; they just need to be executed quickly and consistently. For example, if you’ve fired an employee, make sure their credentials are no longer valid; otherwise, they could log in remotely and cost you $1M in damages.
With the right strategies, you can prevail
Reputation is one of your most valuable assets, and in times of crisis by cyber attack, your resolve will be tested. With these strategies in place—prevention via insider threat mitigation and an effective crisis management system—you can be resilient, capable, and trustworthy in the eyes of your investors and customers.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.