Preparation for Crisis Management Is Crucial
Scott Sobel, M.A. Media Psychology, Senior Strategy and Communications Executive, kglobal
I recently participated in an intimate meeting between a U.S. intelligence agency cyber-attack investigator and a law firm client’s senior committee to prevent cyber-hacks into their firm’s digital network. We set-up the meeting and worked with our client and the intel agency for this proactive conversation to hear about the latest trends in cyber-crime. The intel agent said it is remarkably rare that professional services firms or other businesses dealing with sensitive data proactively take advantage of its free consultation. The firm was already doing everything recommended to prevent hacks, and had not experienced a successful hack, but the conversation was still stunning.
The agent warned that cyber-criminals are constantly trying to breach the defenses of law firms and other business’ dealing in sensitive financial data, and I mean trying constantly. The well-known firm we were visiting in DC confirmed it registers tens of thousands of spear-phishing attempts every year and the intel agent agreed that number is not unusual for a law firm, especially one involved in M&A work, or for active law firm clients.
M&A practices are top of mind for federal cyber investigators today but all firms and their clients are targets and staff are not only targeted when sitting at their office desks.
The agent warned accounts are most vulnerable to hacks, when staff members:
- Travels or attends trade conferences
- Uses unsecured Wi-Fi at hotels associated with conferences or is a popular destination for professional services guests
- Respond to email that looks like a familiar email address but has a character changed (e.g., real address – JohnDoe@lawfirm.com, spear-phisch address – JohnDoe@lawfirm1.com)
- Respond to suspicious tweets
- Logs-on to a Wi-Fi at a favorite coffee shop or public place (that action may save time but could cost a lawyer much, much more than the pricey latte on the menu)
The agent stressed that victims need to contact the FBI immediately after being hacked or the cyber cancer will metastasize:
- If you succumb to paying ransomware, it’s likely the criminals will see you as an easy mark and return
- The hackers may sit and watch your network for weeks, months or even years and strike again when you least expect it and are most vulnerable
- Thieves are not only searching for pins and passwords but they are sharp-eyed for information that will give them an edge on stock trades
- Cyber-terrorists are more sophisticated in their use of social engineering techniques and more successful luring staff to download malware
Unfortunately, the conversation at the law firm revealed that cyber-marks can rarely prevent all hacks but they can have plans in place to reduce the chances of being hacked and even lay traps to discover hacks within network systems using “honey pots” to lure hackers to locations on the network where their activity can be noticed and shut down.
The irony that makes law firms and other sensitive data-rich companies such tempting targets to cyber-terrorists is that the juiciest victims are the most likely to not report the break-ins.
The law firms and clients involved in high-priced deals and other financial jockeying don’t generally publicize their networks have been breached, or don’t want to turn off clients or prospective clients who might be skittish to hire the victimized firm or business, regardless of the likelihood that all firms and clients are targets to varying degrees.
Of course, law firms and other businesses are ethically or legally bound to report attacks and events to clients and the authorities but delaying reports or not reporting at all increases the damage done by the crimes and reduces the chances of catching the criminals.
The intel agent at the meeting stressed that victims should report immediately, any delay is deadly. The agent promised that his office would do everything possible to protect privacy and not victimize the victim.
The intel agency visit also underlined the need for internal communications plans that can prevent or mitigate cyber-attacks and then minimize reputation loss when an attack is revealed or deliberately made public.
What to say, how to say it and when to communicate with clients and other stakeholders publicly can spell the difference between surviving cyber-attacks or experiencing a business-ending reputation catastrophe.
kglobal has advised law firms, financial concerns, food-related industries, aviation manufacturers, multi-level marketing businesses, higher education institutions, non-profits, associations and many other market sectors about cyber-security reputation management. The most alarming common-threads we’ve noticed is that a majority of these clients just didn’t get around to protective measures … some only recently began preparing, and many couldn’t say definitively if they had ever been attacked! We’ve also heard from attorneys who said legal liability increases if a plaintiff client can show the defendant didn’t take at “reasonable” precautions to prevent a hack.
Creating a crisis communication plan and including a regimen of regular internal desk-top drills to prevent and prepare for cyber-attacks, will greatly shrink any business’ online and communications security vulnerabilities. The keyword here is “regular.” Businesses have to regularly drill their security and reputation management processes or they won’t react quickly when the real thing happens. Staff will lapse back into the false sense of security that opens the literal and mental firewalls. A likely result will be to usher in the cyber-terrorists who will violate your business and your reputation.