On Tuesday, the FBI’s Cyber Division issued a warning to businesses and law enforcement agencies about potential computer vulnerabilities that led to the February 5 hacking of a water treatment plant in Oldsmar, Florida. The event was the latest headline-making reminder for business leaders about the dangers of assuming their companies are immune from an increasingly common type of crisis—cyber attacks. These cyber attacks threaten the ability of organizations to protect their data, the privacy of customers, and conduct day-to-day business operations.
The Importance of Full Disclosure
The failure to notify those who are affected by the crisis—including customers, employees, and the public — can create another crisis for companies. Full and immediate disclosure of cyber attacks is an important crisis management best practice.
Uber made headlines when it tried to cover-up its cyber attack, thereby making a bad situation even worse. As reported by the Wall Street Journal, Uber later “… reached a nationwide settlement to pay a $148 million penalty to settle allegations it intentionally concealed a 2016 data breach.”
Silver Lining
Ken Presti, the vice president of research and analytics at Avant, said the recent cyber attack on the water treatment plant, “… is the kind of attack that security people have long been anticipating. Companies and utilities recognize the risk, but they have a hard time marshaling the resources to close security gaps against attacks that have not previously happened to them.
“There may be a silver lining if this attack is used to support allocation of the necessary resources to improve security. How quickly that happens remains to be seen, but it is clearly one more demonstration of the fact that security needs to be approached proactively—or else we all learn the hard way.”
Advice For Business Leaders
While there are no iron-clad protections against this kind of crisis situation, there are basic steps companies should to help prepare for, recover from, and get back to business as soon as possible.
Conduct Risk Assessments
“Early risk assessment is a critical aspect of crisis management plan development. Well before a problem arises, organizations should consider all potential risks, which absolutely must include cyber attacks,” according to Eric Yaverbaum, CEO of Ericho Communications.
“Organizations should continuously look for and address potential threats in relation to changing trends and risk factors—crisis management is a dynamic and ongoing process,” he said.
Take Preventive Measures
“Business leaders should…
Protection of critical cyber systems: Canada introduces new legislation under Bill C-26
On June 14, 2022 the Government of Canada introduced Bill C-26, An Act Respecting Cyber Se…