Craig McDonald 28 November 2018 16:58:40 AEDT 7 MIN READ

Breaking Through The Culture Of Denial: Why Business Leaders Need To Share Their Experiences

Another day, another red-faced exec wondering how his company just managed to get scammed out of thousands of dollars. Embarrassing? Yes. Uncommon? No.

In fact, according to PwC’s 2018 The new face of economic crime report, 43% of businesses experienced a cybercrime attack in the past 2 years. Cybercrime is epidemic. So why do we only hear of the attacks where companies can’t escape disclosure?

We all get tricked in life. Some things are not as they seem, and hindsight is 20/20.

Bad things happen, but without community awareness, bad things can continue to happen, unimpeded by warnings from those who’ve been burned.

If break-ins keep happening on your street, but you don’t talk to your neighbours then you might be next.

Cybercrime is everyone's problem

When you don’t share information, it means more businesses like yours fall prey to the same tactics. When tactics evolve, the industry isn’t up to date on what’s happening. Complex and convoluted cyber-attacks that target the human element aren’t detailed in anti-virus software blogs. The details are glossed over in mandatory public reports.

We’re ashamed, embarrassed and worried about what people will think about our business. It’s something we want to keep a secret. Uber went so far as paying hackers hundreds of thousands of dollars to bury the fact they’d stolen millions of customer records. We want to hide our shame so much that we go to extraordinary measures.

But to defend against cybersecurity attacks, and become more security conscious and aware, we need to create a security culture not just in our own business, but within the wider industry. We need to stand up and say “this is happening and it could happen to you!”

At an event that MailGuard co-hosted earlier this year with PwC, Alastair MacGibbon, Head of the Australian Cyber Security Centre, talked about the importance of collaboration when building a cyber defence strategy: “Alone we will fail” was his message – “…Microsoft alone will fail. PwC on its own… MailGuard on its own… But together, with the sharing of information, with the sharing of solutions, we build the technologies that will lead to social and economic benefit - not just for us as a nation but as a world.”

As leaders, many of us avoid talking about our failings, for fear that sharing and admiting to being victims of cybercrime will damage our company’s reputations, attracting market attention and impacting our bottom lines, or perhaps even the reputations of the individuals at the helm. It’s the sort of attention that we actively avoid and discourage.

Reputations are on the line

I want to talk for a minute about data breaches and specifically company reputations. It’s one of the most worrying incidents for any business.

In Australia, we have the Notifiable Data Breaches (NDB) Scheme, an initiative effective since February ‘18 that means entities (under set specifications) must evaluate any data breaches and determine whether they will result in serious harm to any individual - and if so report within 30 days, and send out notifications to those involved. In the EU, the GDPR is now in effect.

But is all this notification enough? On July 31, the Office of the Australian Information Commissioner (OAIC) released the first full quarter results under the NDB Scheme. The report revealed 242 notifications for the quarter, after only 63 were reported in the initial 6 weeks of the scheme’s operation.

Data breaches are clearly on the rise, and mandatory reporting is a start, but is it enough? In one UK study, 27% of consumers ended their relationship with a company after a data breach occurred. Companies experienced a 5% average decline in stock value following a breach - although security-conscious and quick-reporting companies saw value rebound in an average of just 7 days.

If you want to save your reputation, you need to seriously consider how you manage the release and narrative of your data breaches.

Trying to hide or minimise real stuff ups isn’t going to look good if the truth comes out. In my experience, I’ve seen that companies who are security conscious, investigate and report quickly, and get PR working to minimise the blow of the breach, have the best chance of recovery.

Having management plans in place for data breaches can significantly help.

Beyond mandatory reporting: Information sharing and the onus on business leaders

I would argue that as leaders, mandatory data breach reporting to regulators is only scratching the surface of our true responsibility.

One of the best and most effective examples that I have seen, demonstrates far greater transparency, with a collaboration between some of our major financial services organisations, industry bodies and government departments. In that case, representatives from each of the organisations are in constant contact, sharing intelligence and alerting others to threats by phone and email, and with semi-regular meetings to discuss what they’re seeing, and what plans they are putting in place to improve their collective defences.

The rest of us need to follow this lead. A prudent place to start is your supply chain.

By sharing a careful narrative of incidents with the wider industry and even community, we can encourage a collective security culture, while keeping our businesses and reputation safe.

As a business leader, you have the power to help combat cybercriminals with your stories. But you are in control of those stories: how you choose to outline them, where you share them, and what you’ve done to boost your security response.

I think we need to do more to share this critical information. It can’t get buried in reports on cyber-security blogs. We need to be talking about it in conference keynotes. We need flourishing industry mailing lists and online communities to share this information.

True power lies in information and a critical mass of people. It’s as simple as that. Let’s make it happen and combat cybercrime together. I’ll leave you with a quote from Robert S. Mueller, III, former Director, Federal Bureau of Investigation (FBI):

“We must continue to build our collective capabilities to fight the cyber threat…we must share information…we must work together to safeguard our property, our privacy, our ideas, and our innovation. We must use our connectivity to stop those who seek to do us harm.”

Stay safe. I would love to hear what you’re doing to stay in touch with your peers, and to share threat intelligence and security best practices.

Get the facts

Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.

Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets.  If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.

I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.

src-banner

You can download my e-book for free, here.

“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal. 

... ... ...


Craig_McDonald
Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity and Blockchain; I'm active on LinkedIn and Twitter. 
I’d really value your input and comments so please join the conversation.