Worldwide, organizations are concerned about cybercrime – but not necessarily for the reasons most would think. While many organizations worry about the technical issues that are posed by a cybercrime attack, such as ransomware locking up entire swaths of servers – bringing business operations to its knees – most are even more concerned about their public perception and loss of clientele.
In fact, while an attack or exploitation by a cybercriminal may be technically damaging to an organization, the fallout over the attack’s handling may be even worse, revealing some of the companies’ true fears.
Understanding the technical implications of an attack are incredibly important. That’s why many organizations employ incident response teams. Analysis of an attack and restoring business operations is key to ensuring that organizations do not fall prey to the same attack or, ideally, the same attacker. However, with a proper incident response and disaster recovery element, technically recovering from an attack simply becomes a matter of restoring services and implementing the appropriate cybersecurity controls to protect an exploited organization.
What takes much longer to restore is public brand perception and customer retention. Companies have shown their fear of customer loss in the past by implementing rather dramatic controls in an effort to keep their customers. For example, after Yahoo revealed its most recent breach in 2016, it immediately disabled the automatic email forwarding feature.1 While this was a small change on the behalf of Yahoo, it was a huge change for its customers, who may have wanted to change their email provider to another service while ensuring that they did not miss anything pivotal sent to their old address. Thus, users had a much harder time making the switch over to another email provider out of fear of potentially missing an important email. It goes without saying that users, and the media, reacted adversely.
In comparison to Yahoo, the University of Maryland, which suffered from the theft of student personally identifiable information (PII) in 2013, pivoted dramatically by announcing the attack and its response in the same week. Each student with compromised information was provided five years of credit monitoring. Additionally, public presentations were made that explained the attack as well as the types of controls placed to deter future attacks. Thus, the situation was quickly relegated to memory and barely discussed beyond the ensuing weeks.
The Yahoo and University of Maryland examples are just two that illustrate the real damage that can occur from cybercrime attacks, reputational damage and loss of consumer confidence. Those working in cyber security should keep this in mind during an incident response or disaster recovery – though the technical impact to an organization may be damaging, the reputational damage could be leagues worse.
Editor’s note: Through its Cybersecurity Nexus (CSX), ISACA has issued new guidance providing insights on some of the top emerging cyberthreats and the methods through which enterprises can defend themselves.
Frank Downs, Senior Manager, Cyber/Information Security, ISACA
[ISACA Now Blog]