When it comes to cyber attacks, it’s not a question of if. It’s a matter of when. Nefarious actors are increasingly attempting to steal your sensitive data, extort sums to allow you to regain access to data they’ve encrypted, or simply cause maximum disruption to your organization’s activities. Regardless of their motive, you must remain vigilant.
Even a cursory glance at today’s headlines makes clear that private and public organizations of all sizes and from all sectors are affected—from a prominent Canadian real-estate development company suffering a data breach, to online services of the City of Saint John being shut down, to Montreal’s transit authority suffering a ransomware attack, to hospitals throughout North America being repeatedly targeted by bad actors—and those are just the most recent cases.
The ongoing wave of cyber incidents has prompted the Canadian government’s cyber defence agency to issue a warning that ransomware attacks against critical Canadian businesses and infrastructure are “almost certain” to continue, citing shifts in the online vulnerability of Canadians as more of us work, shop and socialize remotely due to the pandemic.
Is your organization prepared?
As in any crisis situation, timely and relevant communication plays an essential role in recovering quickly from a cyber attack and returning to business-as-usual. You cannot react with silence. A communications vacuum will be filled by rumours that could lead to panic among customers, employees and other stakeholders. You must control the narrative. After all, your organization’s reputation is at stake.
Here are some key points to consider:
The importance of business continuity planning
Cyber attacks often shut down email, scheduling or phone systems. If you don’t have access to your systems, can you continue to operate? What are your back-up plans? Could you still communicate with employees and customers in the event of a systems shutdown?
In addition to reviewing your cyber incident response plan and putting it to the test through tabletop exercises featuring realistic scenarios, you should consider dusting off and reviewing your business continuity plan to ensure conformity with best practices.
Changing expectations for restitution
It is becoming increasingly common for companies that experience a cyber attack to provide credit monitoring for customers or individuals impacted by an incident. Typically, such a service is provided for up to a year, but in some cases, coverage can be of a longer duration. For example, the recent Desjardins privacy breach—which impacted 4.2 million members—resulted in the organization offering credit monitoring for five years. Providing such a service can be costly and is not typically included in most organizations’ budgets.
Regulatory requirements usher in new communications considerations
As cyber attacks that breach Personally Identifiable Information (PII) become more common, governments have recognized the need to update legislation to protect their citizens.
On November 17, 2020, the federal government tabled Bill C-11, the Digital Charter Implementation Act, 2020, which seeks to significantly overhaul Canada’s federal privacy laws, providing individuals with greater control over their data and holding companies that handle personal data accountable for protecting that data. The proposed legislation provides for significant fines against companies that fail to protect their users’ data, meaning that protecting the data and privacy of Canadians will become a higher-level priority for organizations that had previously only paid lip service to the matter.
Increased connectivity means more portals and vulnerabilities
Your organization may have top-notch security measures in place, but what about your vendors and suppliers? For companies working with outside partners, it is important to understand how your data and information is being stored on their systems and what cyber security measures they have in place. Cyber criminals are constantly looking to exploit security flaws by targeting the weakest link in an IT network.
Our best advice is to be prepared with a comprehensive communications plan before you’re faced with a cyber attack. Have an incident response plan at the ready—ideally one that has been tested through cyber breach simulations.
NATIONAL Public Relations has access to an integrated team of crisis experts, legal counsel, IT, and security experts to ensure effective communications with stakeholders in both official languages, in the event of a cyber attack.
We would welcome the opportunity to help you devise and implement a robust state-of-the-art incident response plan. After all, an ounce of prevention is worth a pound of cure!
——— Andrea Mandel-Campbell is a former Senior Vice-President and Practice Lead, Capital Markets at NATIONAL Public Relations