Data security – the crisis risk elephant in the room

elephant

If you’re ever tempted to doubt the impact of a data breach, just think about the hackers who leaked emails immediately before the US Democratic National Convention, which exposed the party machine’s bias against election hopeful Bernie Sanders.

There’s some question as to who engineered the hack. Maybe it was the accused Russians and maybe it wasn’t. But there is no question at all as to the reputational impact for the Democratic Party (which appeared to endorse the bias); for Chairwoman Debbie Wasserman Schultz (who was forced to resign); and for Presidential nominee Hillary Clinton (who had to wear the damage).

While not every data breach is so high profile, such security lapses are increasingly common and constitute a massive crisis risk for organisations of all sizes. Indeed the Australian Institute of Management recently reported 60 percent of IT professionals in Australia and New Zealand expect a cyber attack to affect their organisation this year, yet only 43 percent believe they are prepared for it.

Similarly, a new survey for Accenture found that a majority of security executives around the world (69 percent) had experienced an attempted or successful theft or corruption of data by insiders during the prior 12 months, and more than half (54 percent) indicated that their current employees are under-prepared to prevent security breaches.

While such worrying numbers are not exactly a surprise, they highlight that vulnerability to cyber-attack is a crisis risk which demands a higher level of management commitment and communication planning. (Look no further that the Australian Census debacle in the last issue of Managing Outcomes)

However, executive support often seems to be lacking. For example the PwC Cybercrime Survey last year found that fewer than half of the global organisations surveyed had a cross-organisation team which regularly convenes to discuss, coordinate and communicate about issues involving information security.

And, amazingly, the new Accenture study found that more than a third of the experts surveyed believed their executive management consider cyber-security “an unnecessary cost.” Sheesh. Tell that to Hillary Clinton. Or the Australian Bureau of Statistics.

We know from experience that companies which are not properly prepared to manage a crisis sometimes say “We are small and not likely to have a crisis.” The same dangerous mistake applies in spades to the risk of cyber-attack. A 2015 survey of small US businesses by Nationwide Insurance, found 63 percent said they had been attacked at least once. Meantime, in a survey by UK insurer Towergate, 82 percent of small business owners believed they were safe from a cyber-attack because “they didn’t have anything worth stealing.”

Oh Really? Forbes magazine recently warned this belief couldn’t be more wrong. In fact they said hackers often go after small companies, which may not be so well protected, specifically to worm their way into more valuable victims. Like when data thieves hacked into a small contractor to access records of 70 million customers of US retail giant Target.

So data security is the elephant in the room.  Everyone knows it’s there but sometimes it seems too big to tackle. Mark Twain famously said (or repeated): “Everyone complains about the weather, but nobody does anything about it.” The same might be said about data security as a leading crisis risk. However, unlike the weather, in this case you can do something about it, and you need to take action now.

This article was taken from Vol 7, No. 17 of Managing Outcomes, published by Tony Jaques, Director of Issue Outcomes Pty Ltd, for people who work in issue and crisis management.

You can contact Tony at tjaques@issueoutcomes.com.au or visit his website www.issueoutcomes.com.au