It’s little wonder that cyber security was named as the top concern among South Africa’s business leaders in 2019, and that cyber security features as the most prevalent concern on the risk registers of JSE Top 40 companies.
South African statistics provide devastating evidence of why cyber security is such a major concern to local enterprises.
Close to 580 attempted malware attacks every hour; more than R2 billion lost through cyber-attacks in 2019; the third highest number of cyber-crime victims in the world; and an average cost-to-company of a data breach in South Africa standing at $2.14 million, according to IBM.
But among the myriad local and international research reports and survey results Aprio Credence has reviewed in recent months – all presenting frightening statistics around the prevalence and financial impact of cyber-attacks around the globe – four pieces of relatively obscure, non-technical data caught our attention as reputational risk and resilience practitioners. We firmly believe they should also be of concern to every C-Suite bench, risk and cyber specialist, and communications professional in South Africa:
- A 2018 Deloitte study of more than 300 board members and over 500 risk management, crisis management and business continuity professionals found that 8 of the 11 lessons learned after a cyber crisis were related to sub-optimal communication;
- A 2016 survey conducted by MIT Technology Review Custom in partnership with FireEye and Hewlett Packard Enterprise (HPE) Security Services, revealed that 44% of the 225 business and IT leaders polled said their organisations didn’t have cyber security crisis communication plans in place; while another 15 percent didn’t know whether they had such plans; and
- According to a study conducted by international law firm Morrison & Foerster together with business ethics specialists the Ethisphere Institute, only 34.1 percent of respondents said they felt “very confident” about how useful their crisis plan would be in the event of an actual cyber breach. Of all the major costs and risks associated with a cyber security incident, the potential negative brand and reputation impact, including the erosion of customer trust, could be the most damaging.
- A study by international communications firm Edelman showed 71% of global consumers would switch providers after a company they rarely used suffered a data breach.
These four observations highlight the importance of effective cyber incident playbooks and crisis communication competence and capabilities. They are well aligned with some of the many lessons we have learned providing reputation management counsel to JSE-listed companies and other organisations that have experienced a cyber breach; they reflect some of the insights gleaned from our work facilitating the reputation management elements on dozens of cyber incident simulations across Africa in recent years.
While cyber crises may be driven by technology, at their heart they are very human affairs. Get the stakeholder communications process wrong – a poorly timed piece of communication, transgressing the delicate balance between transparency and strategic disclosure, focusing too much on the breached organisation rather than on the people affected by the incident – and an enterprise can go very quickly from being perceived as the victim of a cyber-attack to being labelled the villain.