Cybersecurity and Corporate Reputation

On the eighteenth of May, Zomato was hacked. In no time, social media was adrift with questions over data security and financial threat to millions of users.

Pressing questions were raised against the poster-boy of Indian e-commerce over its ability to keep user data safe. The reputation of one of the most loved restaurant search and discovery platforms was under fire.

The threat posed by cybersecurity today is more than just security. It is about reputation.

Last year, Yahoo! admitted unearthing a major attack that affected at least five-hundred million accounts, which the company blamed on hackers working on behalf of a government. The sequence of events prompted Verizon Communication to think of withdrawing from an agreement to buy Yahoo!’s core internet business for nearly five-billion US Dollars.

Earlier this year, we also saw a synchronized attack with hackers taking over control of every computer of three Indian banks and a pharmaceutical company and locked them. More recently, over three million debit cards were also exposed to high-risk because of breach in the networks of some of the leading Indian banks.

Hackers are actively pursuing potentially damaging information, ranging from financial data (customer and internal) to trade secrets, products in development, legal and personal data, controversial documents and more.

At an event of a cyberattack, organizations are vulnerable of encountering a wide variety of financial costs. However, the bigger damage is the breach of stakeholder trust and a serious dent on reputation.

Corporate reputation management is the safeguarding of a company’s most integral asset – Reputation. It involves shaping collective perceptions and attitudes about an organization through effective stakeholder engagement. Corporate reputation management can lead to a meaningful and productive relationship between an organization and the environment in which it operates.

Reputation management is a journey for the long haul and is deep rooted in the way companies engage with their stakeholders over a period of time. It is a continual process of influencing stakeholders to acknowledge, appreciate and absorb the foundational tenets of an organization. It helps enhance organizational value as perceived by stakeholders and mitigates negative impact in times of crisis.

As we start sharing more and more of some of our most private and sensitive information with digital platforms based on trust, the degree of our personal vulnerability also increases multi-fold. Organizations and institutions collecting and recording personal data for business operations need to be better equipped to handle their vulnerabilities in current times. This can be enabled by understanding its social, economic and policy-centric environment effectively. An organization needs to identify its stakeholders in this landscape and create multiple touch-points to understand them and engage with them over a period of time.

A pool of influencers in the public, including from its user base, need to be built who will stand by the company as champions in case of an adverse situation. Organizations also need to move away from the culture of secrecy around cyberattacks as most hacks or hacking attempts in India are tucked under the carpet and are not disclosed. This hinders information sharing between intelligence agencies and experts to track down the “dark web” in search of miscreants.

At a much larger level, India needs to tackle the massive problem with pirated software, with some reports claiming more than fifty-percent software used in the country to be unauthentic. This makes it even easier for cybercriminals to access and tamper with systems and networks. Awareness and education can play an important role here, keeping internal stakeholders as a priority cohort in the engagement strategy.

New regulations need to be introduced for the State to stay abreast of the new world of challenges and vulnerabilities being created by highly sophisticated cybercriminals. The IT Act of India was institutionalized way back in the year-2000. In the past years, realities have changed tremendously in terms of how users engage with computing and the revolutionary connectedness of devises that has set in. Several of the companies we see today have come with disruptive new-age business models, which often present surprises at the policy level. These companies need to make proactive efforts to reach out to the upper echelons of the State decision making and bring about awareness and education about their businesses, the threats they face, and how effective policies can support them.

The threat of a cybersecurity breach and its impact on corporate reputation is arguably the issue keeping the C-Suite up at night—and it will likely be the top issue for years to come.

Reputation of an organization is hinged strongly on what it communicates, to who it communicates to, and where it communicates as much as its ability to adapt to response and feedback from its stakeholders. This makes it a cyclical, continual cycle.

Keeping cybersecurity in mind, organizations need to adopt a concerted effort to understand and address this threat in a focused and diligent manner.

Start with being prepared. Cybercriminals are increasingly getting more sophisticated in their attack pattern of venting, organizing, mobilizing and boating. Organizations need to be ahead of the curve to monitor this “deep web” with data, information and intuition to counter a breach and communicate during an attack progression. In addition, the organization needs to be prepared in the event a hacker is successful, for which you need to invest in scenario planning, communication channels and response mechanisms.

In case a breach occurs, you need to manage it effectively and with speed. A crisis management and communication team needs to be well strongly in place to respond and navigate through the chaos that comes in at the time of a cyberattack. There are two aspects that need to be addressed in such situations – countering the attack and managing the communication. Both requires information to be churned out and analysed in real-time. This is where your champions in the stakeholder universe will count the most.

Finally, restoration. The post-breach process needs to be directed to restore confidence in the organization and rebuild the corporate reputation. You may get the impression that this is a sequential final stage, but this actually flows through the entire process right from the time a cyberattack breaks out. Transparency and frequency is at the crux of this communication. The stronger the engagement and trust has been in the stakeholder universe, the quicker the turnaround is expected to be.

Safeguarding corporate reputation in the cyberage needs a holistic understanding and approach. Organizations need to be ahead of the curve at all times making sure we are equipped to prepare, manage and restore. Proactive stakeholder engagement can go a long way in equipping the organization achieve the same.

Rajneesh Chowdhury is Vice-President at The PRactice