ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Cybercrime Can Put Reputation of Enterprises At Stake

Cybercrime Can Put Reputation of Enterprises At Stake

Frank Downs, Senior Manager, Cyber/Information Security, ISACA
| Posted at 3:02 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (2)

Worldwide, organizations are concerned about cybercrime – but not necessarily for the reasons most would think. While many organizations worry about the technical issues that are posed by a cybercrime attack, such as ransomware locking up entire swaths of servers – bringing business operations to its knees – most are even more concerned about their public perception and loss of clientele. 

In fact, while an attack or exploitation by a cybercriminal may be technically damaging to an organization, the fallout over the attack’s handling may be even worse, revealing some of the companies’ true fears.

Understanding the technical implications of an attack are incredibly important. That’s why many organizations employ incident response teams. Analysis of an attack and restoring business operations is key to ensuring that organizations do not fall prey to the same attack or, ideally, the same attacker.  However, with a proper incident response and disaster recovery element, technically recovering from an attack simply becomes a matter of restoring services and implementing the appropriate cybersecurity controls to protect an exploited organization.

What takes much longer to restore is public brand perception and customer retention. Companies have shown their fear of customer loss in the past by implementing rather dramatic controls in an effort to keep their customers. For example, after Yahoo revealed its most recent breach in 2016, it immediately disabled the automatic email forwarding feature.1 While this was a small change on the behalf of Yahoo, it was a huge change for its customers, who may have wanted to change their email provider to another service while ensuring that they did not miss anything pivotal sent to their old address. Thus, users had a much harder time making the switch over to another email provider out of fear of potentially missing an important email. It goes without saying that users, and the media, reacted adversely.

In comparison to Yahoo, the University of Maryland, which suffered from the theft of student personally identifiable information (PII) in 2013, pivoted dramatically by announcing the attack and its response in the same week. Each student with compromised information was provided five years of credit monitoring. Additionally, public presentations were made that explained the attack as well as the types of controls placed to deter future attacks. Thus, the situation was quickly relegated to memory and barely discussed beyond the ensuing weeks.

The Yahoo and University of Maryland examples are just two that illustrate the real damage that can occur from cybercrime attacks, reputational damage and loss of consumer confidence. Those working in cyber security should keep this in mind during an incident response or disaster recovery – though the technical impact to an organization may be damaging, the reputational damage could be leagues worse.

Editor’s note: Through its Cybersecurity Nexus (CSX), ISACA has issued new guidance providing insights on some of the top emerging cyberthreats and the methods through which enterprises can defend themselves.

1 https://techcrunch.com/2016/10/10/yahoo-makes-it-difficult-to-leave-its-service-by-disabling-email-forwarding

Comments

A contrarian view on this

Certainly the reputational damage to corporations arising from cyber attacks is tremendous. More than what we could fathom and also its pertinent to note that the damage is pretty much long term. But here I would like to mention a contrarion view in that - while surely corporations make all the efforts at protecting their hard earned reputation....one of the mechanisms to fight this cyber warfare might in fact be reporting the malware / ransomware ASAP....as this would prevent spreading it further and alert security teams across the world to take corrective action. This could prevent a lot of damage on a global scale and might save other corporations from getting infected. May be one can treat this as a global epidemic where reporting early causes world to take note and steps from preventing it further. In protecting reputation, corporations sometimes stretch the matter too far and eventually help achieve the cyber criminals their goals of spreading their infections on a much larger scale within and outside of the organisation. Also sooner or later the discovery of a breach is made and the reputation which corporations tried to protect all these times, gets ruined more
Ankur Maniar at 2/7/2017 11:48 PM

Re: Cybercrime Can Put Reputation of Enterprises At Stake

The contrarian view is an interesting view
Chidi292 at 2/15/2017 11:28 AM
You must be logged in and a member to post a comment to this blog.
Email