Cyber attacks are inevitable – it’s how you respond that counts

October 10, 2018 by Jonathan Hemus

The Global Data Protection Regulation (GDPR), which came into force in May this year, has fundamentally changed how organisations must respond to a cyber-attack. The onus is on organisations to report any cyber-attack to the authorities within 72 hours or face hefty fines.

GDPR essentially forces companies to go public with any cyber-attack suffered, which poses further challenges when it comes to protecting reputation.

The short-term financial cost of a cyber-attack can be significant, but of equal concern is the damage it can do to business reputation and stakeholders. For example, in November 2017, AP Moller-Maersk said the cost of the cyber-attack it suffered amounted to $300 million, forcing it to cut its profit guidance and sending its share price down 7%.

But for many organisations, cyber-attacks can tempt bosses to focus on the short-term financial impact at the expense of focusing on the longer-term reputational implications.

The reputational impact of a cyber attack

PWC’s Global CEO survey 2018 found that 40% of CEOs ranked cyber threats as their biggest concern, larger than technological change, uncertain economic growth and terrorism.

Dealing with cyber incidents is no longer the preserve of IT managers. It’s now identified as a board-level issue with the potential to cripple your organisation.

Bosses are judged on their response to a crisis. If you are perceived to have responded inadequately to a cyber-attack, particularly one that involves compromised personal data, the short-term costs will be substantial but so will the long-term consequences.

If the crisis is mis-managed, your customers, investors, and the public will lose trust in your organisation.

As we saw with Facebook’s scandal over the misuse of user data, there is a huge amount of trust that the public places in the hands of data-capturing organisations. In the aftermath, Facebook’s stock dropped £25 billion and a campaign to “delete Facebook” went viral. Consequently, Facebook’s reputation is far different now than what it was a year ago.

Planning and preparing for cyber scenarios

Organisations need to understand areas of vulnerability and the potential impact on business. Once your risk landscape is clear, you can scenario plan against different types of incidents, working out how you would respond, criteria for decision-making and the likely resource you would need.

The next step is to turn your risk assessment and scenario planning into a set of response processes and protocols. A quick and effective response is impossible without thorough planning and forethought.

Once you have a plan in place to deal with cyber incidents you must ensure your people are briefed, trained and rehearsed on what they should do. The Cyber Security Breaches Survey 2018 found that while most organisations see cyber security as a high priority, only 20% of employees received formal training around it.

Training should extend beyond IT specialists. From your lawyers to your call centre staff and social media teams.

One of the best ways of rehearsing your cyber response plan is through simulated exercises based on realistic cyber scenarios. This gives people the confidence and capabilities to do and say the right thing.

How to respond post-GDPR

There is an obligation to act quickly or face punitive fines. Consequently, GDPR could act as a positive catalyst for organisations to ensure teams are ready should the worst occur.

Here are 6 steps you should take when managing the situation:

1. Activate your team – Speed is of the essence. Convene your team as soon as you become aware that you may have an issue.

2. Deploy your plan – Uncertainty and high stakes can cause even experienced executives to make poor decisions under pressure.

3. Act quickly – Investigate and address the situation and pro-actively communicate to affected stakeholders. Any attempt to hide the truth, or a failure to communicate, will likely damage reputation and business value.

4. Provide regular updates and information – Reassure stakeholders via multiple sources, including your website, social media feeds, call centres, in-store or in-branch.

5. Exceed expectations – Ensure the steps you take to reduce the impact on affected stakeholders go above and beyond what is expected.

6. Futureproofing – Take steps to avoid another incident. You can be forgiven for an isolated event, but repeat offenders, such as TalkTalk, suffer the worst harm.

The ever-growing list of organisations that have failed to respond effectively to a cyber incident and suffered damaging consequences is a warning to all businesses. No company can immunise itself from an attack. However, planning, training and rehearsal can enable you to respond quickly and effectively and emerge with your reputation intact.


For further insights, take a read of:


Originally published in Real Business (13th August 2018)


Insignia Award Icon

Winner of Consultancy of the Year at CIR Business Continuity Awards 2023

Insignia Award Icon

Finalists for Specialist Consultancy of the Year at CIR Business Continuity Awards 2020 & 2023

Insignia Award Icon

Finalists in 2023 Great British Entrepreneur Awards: Service Industries category

Insignia Award Icon

Winner Specialist Business Book of the Year 2021 at The Business Book Awards (Crisis Proof)

Insignia Award Icon

Finalists in the Lloyds Bank British Business Excellence Awards 2021: Purpose Before Profit category

Insignia Award Icon

Finalists in the Business Champion Awards 2021: Champions in a Crisis category

Insignia Award Icon

Finalists for Business Advisor of the Year at the 2021 Growing Business Awards

Insignia Award Icon

Shortlisted for BCI Europe Awards 2023: Continuity and Resilience Consultant category