There’s a saying in the national security business, that you must build trust before you need it. The type of adversarial situations that we have faced throughout our careers have required us knowing whom to trust for timely understanding of ground truth. Having built trusted relationships with the right people in the right places in advance of an incident has meant the difference between life and death. Trust is the coin of the realm when defending queen and country. This same trust requirement is proving true in corporate security around the world today. As corporations spend lifetimes building their reputations, they cannot afford to allow preventable security incidents to destroy it. This trust truism is why board rooms around the world are now focusing on reputational security as a critical component of their business plans.
Board rooms are fast filling with members and committees that understand that risk to corporate reputation is as important as every other aspect of the bottom line. Critical questions are being asked of CEOs and CISOs about what is now possible in the area of reputational defense, and what the company is doing to protect itself. Today’s realities have presented bad actors with the incentive and opportunity to increase their focus on reputational crimes and, given the ever-increasing sophistication of threats and enterprise reliance on technology, business must adapt.
What’s the bad guy’s motivation?
Money is still at the root of most evil. Today, however, bad actors have realized there’s also money to be made in attacking a company’s reputation. From betting on a falling stock price, to foiling a corporate takeover, to the most common of 2022 attacks — ransomware — companies are dealing with a new and more sophisticated threat landscape.
What’s the cyber harm to companies today?
Over the last decade, data breaches have surged, exposing sensitive information, and undermining customer confidence, which is potentially devastating, especially for smaller businesses. Companies, now more than ever, need to know how to keep their data secure while maintaining a seamless and productive work environment. On the back of these trends, new protocols are emerging to provide additional layers of defense to corporate communications.
The Ponemon Institute’s just released "Cost of Data Breach Report 2022" surveyed 550 companies’ security professionals and C-suite, finding that the average cost of a data breach in the U.S. is a staggering $9.4 million, with 83% of these companies admitting to suffering more than one breach. Business email compromise (BEC) is quickly becoming the biggest problem in cyber crime and has resulted in the loss of an eye-watering $43 billion to businesses in the last few years. So, it’s somewhat perplexing that only 50% of U.S. businesses have a cybersecurity plan in place.
Take the case of Fran Finnegan. It took his business an entire year to recover from a ransomware attack which encrypted his operational software and all his data. He also suffered a stroke midway through that year-long nightmare, which he attributes to the stress he was under.
When it comes to the potential for reputational risk, smaller businesses may be targeted because they haven’t invested in their security in the way that larger corporations have. Many small business owners think they can’t afford high end cybersecurity defense to protect their business and their customers, for example.
What are companies doing to defend their reputations?
As business processes continue to evolve to leverage efficient cloud computing, distributed workplaces, and mobile technologies, the defensive security capabilities available to companies has equally evolved. Expanding on the U.S. Government’s Cybersecurity and Infrastructure Security Agency (CISA) guidance, companies can look at their reputational defense in four key segments:
1) Reduce the likelihood of a damaging security incident by investing in defenses, including education, multifactor authentication and use of trusted partners.
2) Take steps in advance to quickly detect cyberattacks or security incidents, with active monitoring that looks for any anomalous behaviors.
3) Take steps in advance to be prepared to respond to an attack, with a well-practiced incident response playbook that involves all components of your business and trusted third parties.
4) Build operational resilience into your business plans, with technical and personnel redundancy, hardened cores for critical processes, trusted backups, and secured and encrypted communications for key personnel and services.
What are companies still missing in their reputational defense?
In this new post-COVID world, companies are struggling with how to keep their organizations and their data secure while maintaining a seamless and productive work environment.
But business and personal data are now more available to criminals and people share increasing amounts of our information among colleagues, partners, clients, and the supply chain. It has long been best practice for businesses to ensure all their team protects data internally, but these changing business practices have now opened up new attack vectors through extensive use of video conferences, meetings, messaging and remote working systems. With a better understanding of the risks and the adoption of secure platforms, it is possible and vital to prevent unwanted eyes prying on information because a breach can have a devastating impact.
Here are three things that companies can add to their data defenses:
1) Consolidate vendors and use a unified business communications platform.
Gartner predicts that by 2025, 80% of companies will consolidate their communications platforms to reduce the risk of security vulnerability. Switching from one communications platform to another in your workday increases the risk of attack. Choose a platform that includes all of the company’s needs – file sharing, messaging, meetings and calls. Reducing the number of platforms will reduce the risk of intrusion by hackers.
2) Aim for true end-to-end encryption for messaging, meetings, video conferences and calls.
Think about what employees discuss and share in messaging and meetings these days: future earnings, legal issues, sensitive HR actions, strategy, crisis response – all sensitive matters where timing, access, and messaging are critical. Think about how the organization is sending that information around from office to home to coffee shop and back, across secure and insecure networks, in ways that can be intercepted. Safeguard that information by using end-to-end encryption on proven, security-minded platforms. The current best practice is to use a system with Messaging Layer Security (MLS), which encrypts messages end-to-end, and changes keys with every individual message, adding additional layers of security.
3) Prevent “steal now decrypt later” with quantum resilient technology.
There is an understandable misconception that the threat of adversarial use of quantum computing is just for governments to worry about. But it has the potential to affect everyone and every business. Everyone has secrets, intellectual property and sensitive information that is the cornerstone of their business or life, and everyone is vulnerable when it gets out. For this reason alone, companies can protect themselves with post-quantum encryption technology.
4) Use multi-factor authentication (MFA).
MFA protects data and assets by improving the security of the authentication process with identify verification, by requiring at least two methods of authentication, reducing the threat of your company’s assets getting into the wrong hands.
What are good next steps?
By evaluating the risks of your information and reputation across the new business and technical realities of today, you can more successfully manage and govern your business.
Remember, that in addition to the oftentimes insurmountable financial loss to a company following a security incident, it can take years to rebuild a company’s reputation and organizations face a real risk of losing customers to their competitors. It’s critical that companies move to understand their new reputational risk, and work effectively to mitigate it.