Amid a spike in attacks, now is a good time for brands to strengthen their cybersecurity strategy.

Brian C. Keeter, Senior Director, Office of the Executive Chairman, APCO Worldwide

February 22, 2024

4 Min Read
The words "Set your Priorities" on a note
Source: seanbear via Alamy Stock Photo

COMMENTARY

Cyber extortion bolted to its highest level in early 2023 after a slight decline in 2022, according to Orange Cyberdefense, and didn't slow down the rest of last year. This year will likely see more of the same.

Cyberattacks on business and industry are increasing in frequency, scale, and cost, especially against high-value targets, such as banks, hospitals, utilities, and universities, which hold the sensitive information most coveted in the dark marketplace. 

Technology and cybercriminals' sophistication are evolving together quickly, yet many companies and organizations are not. Financially motivated cybercriminals are capitalizing on many victims' willingness to pay in hopes of quickly restoring network systems and reclaiming sensitive information. 

In this environment, customers, investors, regulators, and the public will judge brands for more than the security of their networks. They also expect brands to respond to an incident transparently, comprehensively, and promptly.

While brands should continue devoting resources toward the latest defensive technologies, they face growing reputational risk if leadership fails to prioritize strategic incident preparation and response.

For many corporate leaders, it's not a question of having the willingness to start but rather knowing where to begin. Here are four key steps brands should embrace to strengthen their cybersecurity strategy. 

Elevate Cybersecurity to the C-suite and Board

Far too many corporate boards relegate cybersecurity responsibilities to the chief information security officer (CISO) and IT department. Without leadership's involvement, consequences range from incomplete layers of defense to incident responses that are more costly — both financially and reputationally. 

Boards are wise to shift their views of cybersecurity and incident response, creating a culture where they are strategic priorities. Instead of just another IT expense, they're viewed as essential investments to preserve your most valuable assets and protect your credibility with stakeholders.

Start by requiring regular briefings for all directors detailing network security improvements, adherence to best practices, and the latest industry trends. Use this opportunity to discuss hard questions, such as how cyber threats are detected or what it would cost your company if it were fully offline for a week.

Boards should also have a cyber committee equivalent to their corporate governance, audit, or compensation committees. The cyber committee is charged with assessing your company's risk profile, setting robust cybersecurity policy, and determining what resources, including staffing, are needed to reduce vulnerability.

Audit Sensitive Information 

Surprisingly, many organizations do not have a full line of sight on the sensitive information they have or where it's held, much less how it could be compromised or exploited by cyber-threat actors. 

Job one for the board's new cyber committee is setting a consistent cadence of rigorous audits and assessments. For the same reason you check that all your doors are locked before turning in for the night, regular cyber audits help keep you safe. Knowing vulnerabilities, gaps, or weaknesses shows you how and where to add another layer of security.

Update (or Create) Your Incident Response Plan 

An incident response plan is like insurance. You hope you never have to use it but, when you do, you're thankful to have it.

An incident response plan is a playbook or toolkit to guide you through the short- and long-term aftermath of an attack. It allows you to act swiftly and strategically, protecting your bottom line and reputation.

While it's best to customize your plan to your organization, all incident response plans have common elements: Decision-making protocols clearly define roles and responsibilities. Scenario planning articulates steps to take for various types of attacks. Stakeholder and media mapping identify key internal and external audiences, and holding statements enable communication with each one when deemed appropriate. Your plan should also identify potential third-party legal, forensics, and communication partners, spelling out each one's expertise.

Revisit Cyber Hygiene Training 

While data is difficult to track, some reports indicate insider threats account for as much as 60% of cyber incidents. Insider threats may emanate from a disgruntled employee with harmful intent, but it's often the result of human error.

For example, many employees are in the habit of using free Wi-Fi at coffee shops, restaurants, and other public spaces while on a company laptop, tablet, or phone. Because it's unsecured, public Wi-Fi is fertile ground for attackers. Hackers can lift passwords and other sensitive information or install malicious software on an unsuspecting employee's device, which eventually makes its way to the main network.

Leadership should revisit their company's cyber-hygiene training programs frequently, ensuring they are up to date and address identified weaknesses.

Protect Your Brand Reputation and Assets

If not handled well, cyber and ransomware attacks cost more than the potential loss of data or money. Embracing these steps can help avoid the loss of trust, credibility, and reputation, additional costs that can take months or years to recover.

About the Author(s)

Brian C. Keeter

Senior Director, Office of the Executive Chairman, APCO Worldwide

Brian Keeter is a senior director at APCO Worldwide, based in Washington, DC, in the firm’s Office of Executive Chairman. He co-leads APCO's cyber protection and reputation team and supports clients in higher education, transportation and infrastructure, and global commerce. He is also a Senior Fellow with the McCrary Institute for Cyber and Critical Infrastructure Security.

Prior to joining APCO, Mr. Keeter served at Auburn University as executive director of public affairs where he led executive communications, served as the president’s spokesman and directed the university’s federal relations program. He previously served as associate administrator for public affairs at the US Department of Transportation’s Federal Highway Administration. He has managed a state-wide political campaign, worked in international democracy development, and served as press secretary for two members of the US House of Representatives.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights