The short-term shock factor of a cyber attackYou shouldn’t lose sight of the fact that cybercrime can be as frightening as any other form of crime. Just because you aren’t under physical threat from someone with a weapon, it doesn’t mean that there isn’t going to be a period of panic. It’s in this moment that businesses with a plan really feel the benefit. If you have a team of trained professionals and a clear plan in place, you’ll be able to spot a digital danger at the earliest opportunity and react. It’s important to try to be calm and contact relevant experts where appropriate. This might be IT professionals who can understand what they’re dealing with (you may wish to pay for specialist support), as well as the authorities who need to be alerted to the fact that a crime has been committed. Businesses have to be honest with customers and alert them at the earliest opportunity that there is an issue. This might cause alarm, but it’s in all stakeholders' interest to inform the public straight away. Indeed, with clear communication, this initial shock doesn’t have to be as financially ruinous as you fear. One piece of research conducted in the UK found that a company’s share price only fell by more than one percent in a quarter of cases. A fall of more than two percent during the first trading day after a cyber attack occurred in just one in ten cases. Clearly, this isn’t ideal, and even a relatively small financial hit could prove terminal for a smaller business. There is also the potential for the initial shock to be much worse depending on the nature of the threat, so companies have to brace themselves for an immediate financial issue.
The medium-term mop upThe way you react to a crisis as a business can be telling. If you keep customers up to date – after that initial contact – provide them with support, and if necessary give them a reward for sticking by you. This helps emerge from a cyber attack with your professional reputation untarnished. You should also, of course, review your internal policies and continue to work with the authorities. Failure to do any of this could make the matter worse. Most attention – from the media and customers – will naturally die down after the initial shock, but this won’t occur if you handle it badly. A poor response keeps the story alive, reminding people of the cyber attack and damaging your reputation. Yahoo, for example, took two years to reveal its customers’ data had been stolen in a cyber attack. The news came in two batches in 2016 – and its share price plummeted five percent after the second announcement. It’s important that businesses appreciate that share prices are based on confidence, as well as performance. A business that reacts badly to a cyber attack is more likely to damage confidence in its brand than one that reacts quickly, calmly, and professionally.
Reputation management for the long-termAccording to a study from 24/7 Wall Street, Equifax has some work to do to build their reputation back up. The credit rating agency had the data of 143 million Americans stolen last year but crucially sparked anger among customers by not reporting the fact for a month. What is important here is that this incident shows the real long-term damage of a cyber attack can be reputational – and the financial impact of this sort of damage can be even more significant than that of the initial shock. British broadband provider TalkTalk, for example, suffered a data breach in 2015, an event which caused a one-off cost of $52 million, but the ‘slow-burn’ costs added more than $44 million more, according to Lloyd’s. Businesses might well need to come up with a marketing strategy to recover lost ground – and have to factor this into the cost of their cyber attack.