By Laveen Prakasan, Senior Account Manager, Singapore. Laveen is a specialist in media relations, crisis management, and content development, particularly in the Financial Services, Technology, and Consumer Brands.
Cybercrime is expected to cost the global economy USD10.5 trillion annually by 2025. With increasingly sophisticated attacks ranging from ransomware to malware and social engineering to denial-of-service events. It’s estimated that a single, successful cybersecurity attack costs an average of USD4.35 million. This is a steep figure, but it’s even worse when you consider that 83% of organisations say that they are hit by attacks more than once a year. The losses could really start to add up, so bolstering your cyber resilience is vital.
Cybercrime is big business, and it’s not just criminals who are getting involved. State-sponsored cybercrime and cyber warfare are now a fact of life and current geopolitical tensions mean that we will see more of this in the future. It’s well-known that Russia has used malware and phishing attacks in the Ukraine, both before and after the start of the war in February. Of course, the confrontation between China and the US over semiconductor chips also continues to simmer, complicating the overall cyber-environment.
The pandemic has also brought new challenges for corporate cybersecurity with the evolution of hybrid work. Employees are using mobile phones and home Wi-Fi networks to connect to company servers and to transmit confidential data. While companies need to be flexible and agile as to where their employees work, this brings significant risks.
The volume and complexity of threats can be overwhelming. The two most common attacks are ransomware, which made up around 35% of volumes in 2021 and data theft at 10% of attacks. In Q2 2022, the top ransomware industry targets were healthcare, professional services, and financial services. While almost half of ransomware attacks occur in the US, Singapore saw over a million attacks in Q2 this year, while Hong Kong saw over 750,000 attacks every month in Q2 2021. Most of these attacks were enabled by a social engineering technique called phishing – where individuals are tricked into handing over sensitive information such as passwords.
Corporates need the right talent to ensure their cybersecurity is solid, but qualified individuals can be hard to find. Demand for cybersecurity services is growing rapidly and traditional corporates are vying with Big Tech and start-ups for the best talent. Companies need to offer top-notch benefits and salary to beat out the competition. The lack of talent is exacerbated in Asia Pacific, particularly in some of the smaller markets. At the same time cybersecurity software which needs to be continually updated, comes at significant cost.
Within this overwhelming landscape, where do you start with a cybersecurity risk assessment? And how can we be prepared when we do experience an attack? It might surprise you to find that a comprehensive internal and external communications plan is a key weapon in our battle against cybercrime. It’s perhaps less surprising when you consider that 95% of cybersecurity issues are down to human error, with phishing being the main culprit.
A robust internal communications and education plan can really pay off in terms of a reduction in losses due to cybercrime. Compared to the cost of qualified cybersecurity experts and up-to-date software, the ROI on educating your employees around the risks is enormous. You need to start by helping your employees to understand the risks and to recognise social engineering attacks. These can include baiting – a technique that piques your curiosity, scareware – in which you are threatened if you don’t share sensitive information, pretexting – where someone impersonates a colleague or a person in authority, phishing – often sends you to a malicious website that looks legitimate, or spear phishing – a more targeted attack on an individual or corporation. Your employees should also know how to secure their connections to your company’s cloud or servers. Thinking carefully about your internal communications templates and frameworks can really pay off.
Communications help build cyber resilience
If the worst does happen and you are hit by a cyberattack, you need a robust crisis management plan which establishes a standard operating procedure for your firm. A cyberattack not only has monetary implications, but reputational ones. It can really dent your customers’ trust in your organisation if their details are stolen, or you are unable to provide vital services. Some companies may even find that there are legal and even reputational consequences if their cybersecurity is not robust enough.
Your crisis plan needs to encompass all your stakeholders including employees, customers, regulators, law enforcement and of course media. Ensure you know your regulatory and legal obligations. You need an up-to-date list of all key contacts in your crisis management team, and this must be cross-functional, likely including IT, Legal, Customer Teams, Communications and Government or Regulatory Affairs, as well as your senior leaders. You should plan to issue statements to both employees and the press as soon as possible detailing what happened and what you are doing to remedy the issue.
Make sure you have complete clarity around your crisis plan, that it’s up-to-date, and that you conduct red teaming regularly. Along with regulatory and legal issues, you will likely need to be prepared for significant reputational management to rebuild trust with your customers. Be prepared to be straightforward with your stakeholders and communicate with openness, honesty, and empathy.
Cybercrime will continue to become more complex and more frequent as technology advances. Cybercriminals will act quickly to exploit loopholes and will continue to innovate to find even more nefarious ways to access your corporate systems. While you cannot prevent criminals from trying to access your systems and data, you can significantly reduce the chances that they will be successful. You will give yourself the best chance if you strengthen your cyber resilience with a comprehensive cybersecurity framework that focuses on the right cybersecurity expertise, the right systems and software, and a comprehensive communications framework.