It isn’t easy to generate understanding and awareness of IT security in your own company. Especially when the upper management is not behind you, they are often not even aware of the total damage potential of a cyber attack. IT security departments can counteract this by introducing a central asset in communication with their management: company reputation.
At the end of 2013, at the beginning of the Christmas business, which was beginning, one of the largest US retailers, the Target Corporation, suffered a considerable safety margin for the time. Cybercriminals obtained access to the target network via phishing attacks on the target supplier Fazio Mechanical and installed the Kaptoxa malware in point of sale systems there. This provided them with credit and debit card data for more than 40 million Target customers and more than 70 million address data. By 2016 alone, this attack’s direct, consequential damage should amount to the equivalent of around 285 million euros.
Last but not least, the company’s reputation was permanently affected by the attack. A rapid decline in the company’s Yougov Buzz Score – the consumer rating – set in. In the first few days after the incident, the value fell from 22.4 to -19 points. Although the company stabilized and raised it somewhat in the following months, it still did not reach its pre-attack value in 2019 with 18.5 points. As a result of the loss of reputation, numerous customers switched to competing companies. Sales and profits collapsed. In the fourth quarter of 2013, profit shrank by 50 percent. For the entire 2013 financial year, the profit forecast had to be revised down by a third.
The Potential For Damage From Cyber Attacks Is Still Underestimated
The example of Target shows: Successful cyberattacks damage companies not only directly – through failure or restrictions of the IT infrastructure, through data loss, through payments of ransom, penalties, and claims for damages – but also indirectly – through lasting loss of reputation. The latter is usually associated with considerable complications for business relationships – not only about customers but also partners, suppliers, and shareholders. For example, when hackers used a Facebook vulnerability in 2018 to compromise accounts of 50 million users of the social media platform, the company’s share price fell by three percent in a few days. The Target Corporation even had to cope with a slump of 10 percent in 2013.
Reputation As A Starting Point For More Cybersecurity
And yet: in the internal communication and handling of cybersecurity in many companies, the possible reputational consequences of a successful cyber attack are usually excluded. Jelle Wieringa, Security Awareness Advocate at KnowBe4, sees the problem as follows: “If the IT security department reports cyberattacks, it usually focuses on their direct damage potential. The management, whose task is usually to ensure the reputation, then incorrectly classifies the relevance of IT security and misjudges the full risk.” The result: an unnecessary weakening of IT security. According to Wieringa, the top management level must stand fully behind the IT security department if investments in security solutions are required. It should effectively promote a safe culture within the workforce and keep it up to date with training courses. To achieve this, however, the management has to rethink. It would help if you began to appropriately integrate the asset of company reputation into your communication and handling of IT security. This requires the implementation of the term “Reputation Driven Defense”. Wieringa defines the time as follows: “This means the effects that a cyber attack can have on the image of a company and what consequences this represents for the security posture of the company concerned.” appropriately integrate the asset company reputation into their communication and handling of IT security.
This requires the implementation of the term “Reputation Driven Defense”. Wieringa defines the term as follows: “This means the effects that a cyber attack can have on the image of a company and what consequences this represents for the security posture of the company concerned.” appropriately integrate the asset company reputation into their communication and handling of IT security. This requires the implementation of the term “Reputation Driven Defense”. Wieringa defines the term as follows: “This means the effects that a cyber attack can have on the image of a company and what consequences this represents for the security posture of the company concerned.”
Integrate Reputation Correctly Into Everyday IT Security
To do this, you must first of all precisely define and specify the areas of your company’s reputation that can be affected by a cyber attack. Wieringa sees three main approaches here: “As a first measure, these results must then be integrated into the communication with the management. Second, they need to be integrated into the company’s existing safety culture. Regardless of the hierarchy level, every employee must always be aware of the far-reaching consequences of a cyberattack for the sales and profits of their company. Thirdly, they must be used to create a reputation-focused guideline for measures in the event of a successful attack, the content of which can serve as a guide in the event of a crisis. to get out of the problem quickly and easily. Above all, a significant mistake that many companies continue to make must be avoided. “
This is the well-known mistake of trying to keep a successful attack secret for as long as possible. In practice, it has proven to be far more sensible to proceed proactively, take responsibility, and demonstrate to the customer and the public the will and the ability to solve the problem. One positive example is the telecommunications service provider Vodafone GmbH to a cyber attack carried out in 2013. Hackers stole master data from over two million customers. Vodafone discovered the attack, stopped it, reported it, made it public, and in the end, also apologized to its customers. With these measures, the company was able to stabilize its reputation successfully.
The example shows that transparency and decisive action are the real keys to success when it comes to maintaining a reputation. Companies should therefore understand safety culture as part of their corporate culture and promote it accordingly. In addition, they should deal with the term “reputation-driven defense” and ultimately invest in it to get the damage to reputation under control in the event of a security incident.
Also Read: How To Protect Yourself From Cyber Attacks