It seems like we hear almost daily about a new, major data breach, compromising hundreds of thousands of individuals’ private information and leaving billions of dollars of damage in its wake. Just this morning, Air Canada announced their mobile app was breached, saying 20,000 customers may have had their personal information "improperly accessed", forcing the airline to lock-down all 1.7 million accounts until passwords are changed. Wired magazine recently published this story about how one of the world’s largest shipping companies was held hostage in such an attack, sending IT teams across A.P. Møller-Maersk panicking, and ultimately causing nearly a fifth of the world’s shipping capacity to come to a complete halt.
The virus, known as NotPetya, turned out to be a WMD of malware, and is the largest attack of its kind the internet has ever seen.
Maersk wasn’t the only one to suffer either. The US government estimates that nearly $10 billion in damage was done across the globe, likely at the hands of Russian hackers who unleashed NotPetya on companies big and small. Here are the sobering figures of how much damage some of these companies suffered:
Merck: $870 million
FedEx: $400 million
Maersk: $300 million
Given the extreme severity and steady frequency of attacks like NotPetya, WannaCry and others, it’s safe to say that data breaches are no longer a question of if, but when, for Canadian organizations. This threat is constantly growing and evolving, and organizations must have a plan in place that allows for rapid response.
No matter how robust your cybersecurity protocols are, there is almost no time to play catch up when a breach occurs. Just imagine this scene detailed in Wired at the headquarters of Maersk:
All across Maersk headquarters, the full scale of the crisis was starting to become clear. Within half an hour, Maersk employees were running down hallways, yelling to their colleagues to turn off computers or disconnect them from Maersk’s network before the malicious software could infect them, as it dawned on them that every minute could mean dozens or hundreds more corrupted PCs. Tech workers ran into conference rooms and unplugged machines in the middle of meetings.
While Provident is not a cyber security company, we always stress to our clients that investing in a crisis response communications plan is just as important as having a security response plan in place with your IT department. The logic is simple: a massive attack impacts the thousands if not millions of your organization’s customers. Putting out the fire is paramount, but communicating with those impacted is just as important. What you do in response matters just as much as what you say and how you say it.
With that in mind, we have designed data breach scenario training and tailored response plans to help you prepare in the event of a cyber attack or data breach, protecting your brand and reputation, while ensuring you keep the confidence and trust of the public. We must recognize we live in a world where the public expects a swift response, and reputational damage will only get worse if there is any delay.
If you think you’re immune, think again.
According to an Ipsos poll, half of Canadian C-suite executives and nearly a quarter of entrepreneurs said the cybersecurity of their business was breached in 2016. We don’t even have to look that far back to note that over 600,000 Canadians had their personal profiles shared with Cambridge Analytica through Facebook, 19,000 had their personal information compromised through Equifax, and nearly a million had their names, emails and phone numbers exposed when Uber was hit.
Given how common these cyber attacks are occuring, the government of Canada has a new law coming into effect on November 1, 2018 that mandates all companies to notify individuals if their data was comprised. Failure to do so can result up to a $100,000 fine for each offence.
Like other forms of crisis, cyber attacks can completely disrupt an organization's ability to function, impact both internal and external relationships, and if not handled properly, be extremely costly to fix. That is why companies must adapt and better prepare for responding to potential breaches before disaster strikes -- not during, or after.