It is now recognised that it’s ‘when’, not ‘if’ a cyber attack will impact even the smallest of businesses or charities. Many throughout the country are now grappling with business continuity plans which are fit for a digital era, not just fire and flood scenario planning, nor simply if IT systems go down. The hidden gem to how you handle the situation when attack strikes, both with internal stakeholders such as your staff and external stakeholders such as your clients, customers or suppliers can be imperative to long term resolve. Ultimately, being prepared for protecting your reputation and relationships is an often missed aspect of true cyber resilience business continuity planning. If you haven’t already done so, now is the time to think about it.
We asked Michelle Hakim, co-founder of London-based reputation management consultancy 8hwe, for her take on the issue. With nearly two decades of experience in the field, Michelle is trusted by some of the countries most high profile organisations, and she specifically tailored her response for micro and small organisations.
Here’s what she had to say:
Cybercrime – Covid’s Digital Cousin
When your business falls victim to cybercrime, it is not just your systems that can be affected but your relationships with customers too.
None of us likes giving others bad and inconvenient news.
Having to tell someone you’ve seen recently that you’ve now tested positive for Covid-19 has become this year’s equivalent of telling your neighbour you’ve run over their cat. Or telling your best friend you’ve just seen their ex with someone new. Or getting to the airport and telling your kids you’ve forgotten to pack their passports.
But, as we hopefully see light emerging at the end of the Covid tunnel, passing on one other bit of bad news has become more recurrent this year and will only increase further in the future: admitting to customers and clients that you’ve been subject to a cyber-attack.
This impacts on us all – sole traders, micro, small and large businesses; like Covid, no-one is immune.
A few years ago, cybercrime – fraud, cyber-attacks, data breaches and theft – was something that few, if any, small businesses gave much thought to. It was perceived as a problem for multi-nationals, global brands and governments, not beauticians, restaurants, small online retailers or charities. Surely cyber criminals would never bother to target a local business, a community-based project or a charity with turnover running into thousands not millions of pounds?
When you have a marketing or advertising spend running into the tens of millions and a loyal customer-base which is global and built over many years, your ability to spend your way out of it or take a temporary hit is regrettable but manageable.
Today, however, the likelihood of SMEs and micro-businesses being victims of cybercrime is not only far greater but the potential reputational damage is far more significant and can break a brand or irreparably damage a business literally overnight.
As customers, we build our loyalty to brands through repeat purchasing. We develop trust in those we purchase from: trust that they will deliver – hence the focus on fulfilment that online retailers prioritise; trust that their products and services offer value for money; and trust that they will look after us – either in person or through the data we share with them.
A restaurant that gives you food-poisoning rarely gets a second chance. A hairdresser that dyes your hair mousey brown when you wanted platinum blonde, doesn’t often get a return visit. An online shop that delivers broken products is written off as a broken promise.
And yet, too few small businesses are putting the same dedication and thought into protecting their own and their customers’ data.
Emailing your customers to say their credit card details have been stolen because your system has been hacked. Phoning each of your clients to check which invoices they have received and paid because someone’s set up a false bank account in your company name. Writing to each patient to inform them that criminals now have full details of their names, addresses, passwords and the last five treatments they had with you.
These are all forms of communication you just don’t want to ever have to make. And chances are, you’ll have to do it in the midst or sorting out what financial damage the criminals have done to the rest of your operation.
So, how to avoid it? 5 top planning tips;
Run a ‘fire drill’ - The quickest, easiest and safest way to prevent problems is to take advantage of the services and programmes our nationally recognised Cyber Resilience Centres offer. The Exercise in a Box enables you to ‘run a fire drill’ of a cyber attack and learn what you don’t know and truly inform your business continuity plan.
Prepare honest communications - If the worst happens, don’t dig a deeper hole for your business. Honesty is the best way to protect what is left of your integrity. Be upfront with those whose data has been compromised. Provide them with as much information as they need. Warn them about what to look out for and what precautions they now need to take. Preparing some draft letters in advance to refer to when you are under pressure, or at least making sure you know how you would communicate in this scenario and what you would need to say, can truly help with this.
Know your risk numbers - There is no easy way out of this. There is undoubted damage to your reputation. Liaise with your FD or Accountant in advance and be clear on what percentage of business you can afford to loose whilst continuing to trade to ensure you understand clearly how to manage priorities across retaining business levels when you are under pressure.
Demonstrate you have been cautious - The best way to mitigate the damage is not to become a victim in the first place. And, if you do, be able to demonstrate how you had done everything in advance to minimise the possible threat. The Cyber Resilience Centres guidance from the Core free membership alone will help you prepare. Additional paid membership options and affordable service can further improve your resilience and this is all demonstrable to your insurers, clients, customers, staff and suppliers.
Action plan - Cybercrime is here to stay. But like Covid, we can all reduce the risk if we understand our businesses’ vulnerabilities, realise we are not immune and stop the spread by taking affirmative action. Whether your business has a communications advisor or not, it is wise to include ‘reputation’ as a factor as you create your plan for handling such a scenario.
The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. To find out more, please click here.