Over the last ten years there has been a significant shift in the level of concern over industrial cyber security risk. Executives at energy, utility and manufacturing businesses didn’t use to lose sleep over potential cyberattacks in the way they might have over major safety or environmental risks. At the plant level, operators believed that air gaps and proprietary technology were sufficient defenses against malware, and that attacks on cyber-physical processes were very unlikely.
Fast forward to today, where the industrial sector is digitizing and automating processes at an increasingly rapid rate. While connected systems deliver new value and improve productivity, they also introduce exposure to cyber risk. The accelerating concern about cyber threats by world leaders and the C-suite is obvious:
At Nozomi Networks, our technology solutions provide complete visibility into OT networks and their risk exposure, thereby improving critical infrastructure cyber resiliency and operational reliability. Our products help IT and OT work together to reduce risk and speed incident response.
To help you address the challenge of managing the reputation risk that, unfortunately, comes with a cyberattack, we’ve invited Standing Partnership, leaders in corporate reputation management, to share their best practices for crisis preparedness.
How to Manage Risk and Protect Your Organization’s Reputation
No organization is immune to crises.
Data breaches often top the list of potential threats. In a Standing Partnership/Edison Research survey of 1,000+ executives, 34 percent reported that IT and security issues had created a reputation problem in the past, with more than half anticipating similar problems in the future.
The energy sector is particularly vulnerable. Recent revelations about cyberattacks orchestrated by Russian hackers against U.S. energy companies emphasize how important crisis readiness is. According to Cisco, the number of so-called distributed denial-of-service (DDoS) attacks is projected to grow to 3.1. million by 2021.
Increasingly, companies are judged not by whether they experienced a crisis, but by how they handled it. Successful crisis management is measured by the ability to navigate the situation with a stable stock price and an untarnished reputation.
The Difference Between Risk & Crisis and Why You Should Care
Crises can be caused by external or internal factors. A natural disaster is an external threat beyond your control, yet it’s still important to respond with speed and transparency. Organizations typically rebound faster from external crises because it is easier for stakeholders to forgive unintentional harm.
On the other hand, incidents resulting from purposeful misdeeds or negligence that could have been prevented (e.g., poor cyber security measures or unethical behavior) are more difficult for stakeholders to “get over,” often leading to reputational damage.
Not every risk causes a crisis, but those you should have known about and taken steps to address are the ones most likely to cause damage. It is recommended to periodically review potential threats and develop plans for preventing them from escalating, or mitigating the impact should they happen.
For example, cyber hacking is a threat that companies have no control over. However, acknowledging the risk allows the organization to evaluate its IT/OT infrastructure and operational policies to identify and close loopholes, and establish procedures for a timely and effective communications response.
Preparedness Is Cheaper Than a Disaster
A poorly handled crisis has broad implications. Regardless of what caused it, impact on stock price and brand is almost immediate.
Reported losses from cyberattacks run in the millions – Merck: $780M, Maersk: $300M, FedEx: $300M. If your efforts around crisis preparedness are met with reluctance, bring up Accenture’s $11.7M per organization cost of cyber crime.
Best Practices for Crisis Preparedness
So, how do you prepare for a crisis? What you say, how you say it and the channels you say it through can either bolster or diminish your customers’ and stakeholders’ trust. Fortunately, there are crisis preparedness best practices organizations can follow, including:
- Align all your crisis response plans
Assemble all existing policies, business continuity, operational and communications plans, plus reports that outline the risks your organization faces. Determine how current they are, and list the gaps.
- Build or update a cross-functional crisis team
Your crisis response team should include representatives from across the organization – safety, operations, legal, IT/OT, customer service, communications, HR, etc. – depending on your business and industry. If you have a head office and remote operational units, determine who from each location should be on the team. Make sure contact information is up-to-date, and that each member has a back-up.
- Develop a written plan
It’s best to have a written crisis response plan that contains responses to scenarios most likely to impact your organization. A typical plan includes the response team list and responsibilities, criteria for assessing severity, a decision-making protocol, key messages, list of communications channels, and sample communications such as internal and external announcements, media statements, social posts and press releases. A plan eliminates second-guessing and speeds up response during a crisis. Ideally, it is reviewed and updated every six to twelve months.
- Train your team
A plan without training isn’t worth much. Gather the cross-functional crisis response team at least once a year to run through the communications plan, and make sure members can execute seamlessly during high stress situations.
Managing OT Risk While Protecting Your Organization’s Reputation
To assess and manage OT risk, and protect your corporate brand, preparedness is key.
