Building a Misinformation-Resilient Business

Building a Misinformation-Resilient Business

By now, most everyone has heard about the threat of misinformation within our political system. At this point, fake news is old news. However, this doesn’t mean the threat is any less dangerous. In fact, over the last few years misinformation has spread beyond the political world and into the private sector. From a fake news story claiming that Coca-Cola was recalling Dasani water because of a deadly parasite in the bottles, to false reports that an Xbox killed a teenager, more and more businesses are facing online misinformation about their brands, damaging the reputations and financial stability of their organizations. While businesses may not think to take misinformation attacks into account when evaluating the cyber threat landscape, it’s more and more clear misinformation should be a primary concern for organizations. Just as businesses are beginning to understand the importance of being cyber-resilient, organizations need to also have policies in place to stay misinformation-resilient. This means organization need to start taking both a proactive and a reactive stance towards future misinformation attacks.

Perhaps the method of disinformation we are all most familiar with is the use of social media to quickly spread false or sensationalized information about a person or brand. However, there are a number of different guises disinformation can take. Fraudulent domains, for example, can be used to impersonate companies in order to misrepresent brands. Attackers also create copy cat sites that look like your website, but actually contain malware that visitors download when the visit the site. Inside personnel can weaponize digital tools to settle scores or hurt the company’s reputation — the water-cooler rumor mill now can now play out in very public and spreadable online spaces. And finally, attackers can create doctored videos called deep fakes that can create convincing videos of public figures saying things on camera they never actually said. You’ve probably seen deepfakes of politicians like Barak Obama or Nancy Pelosi, but these videos can also be used to impersonate business leadership that are shared online or circulated among staff.

With all of the different ways misinformation attacks can be used against businesses, its clear organizations need to be prepared to stay resilient in the face of any misinformation that appears. Here are 5 steps all organizations should take to build and maintain a misinformation-resilient business:

1. Monitor Social Media and Domains

Employees across various departments of your organization should be constantly keeping their ear to the ground by closely monitoring for any strange or unusual activity by and about your brand. Your marketing and social media team should be regularly keeping an eye on any chatter online about the brand and evaluate the veracity of claims being made, where they originate, and how widespread is the information is being shared.

At the same time, your IT department should be continuously looking for new domains that mention or closely resemble your brand. It’s common for scammers to create domains that impersonate brands in order to spread false information, phish for private information, or just seed confusion. The frequency of domain spoofing has sky-rocketed this year, as bad actors take advantage of the panic and confusion surrounding the COVID-19 pandemic. When it comes to spotting deepfakes, your IT team should invest in software that can detect whether images and recordings have been altered

Across all departments, your organization needs to keep an eye out for any potential misinformation attacks. Departments also need to be in regular communication with each other and with business leadership to evaluate the scope and severity of threats as soon as they appear.

2. Know When You Are Most Vulnerable

Often, scammers behind misinformation attacks are opportunists. They look for big news stories, moments of transition, or when investors will be keep a close eye on an organization in order to create attacks with the biggest impact. Broadcom’s shares plummeted after a fake memorandum from the US Department of Defense claimed an acquisition the company was about to make posed a threat to national security. Organization’s need to stay vigilant for moments that scammer can take advantage of, and prepare a response to any potential attack that could arise.

3. Create and Test a Response Plan

We’ve talked a lot about the importance of having a cybersecurity incident response plan, and the same rule is true for responding to misinformation. Just as with a cybersecurity attack, you shouldn’t wait to figure out a response until after attack has happened. Instead, organizations need to form a team from various levels within the company and create a detailed plan of how to respond to a misinformation campaign before it actually happens. Teams should know what resources will be needed to respond, who internally and externally needs to be notified of the incident, and which team members will respond to which aspect of the incident.

It’s also important to not just create a plan, but to test it as well. Running periodic simulations of a disinformation attack will not only help your team practice their response, but can also show you what areas of the response aren’t working, what wasn’t considered in the initial plan, and what needs to change to make sure your organization’s response runs like clock work when a real attack hits. Depending on the organization, it may make sense to include disinformation attacks within the cybersecurity response plan or to create a new plan and team specifically for disinformation.

4. Train Your Employees

Employees throughout the organizations should also be trained to understand the risks disinformation can pose to the business, and how to effectively spot and report any instances they may come across. Employees need to learn how to question images and videos they see, just as they should be wary links in an email They should be trained on how to quickly respond internally to disinformation originated from other insiders like disgruntled employees, and key personnel need to be trained on how to quickly respond to disinformation in the broader digital space.

5. Act Fast

Putting all of the above steps in place will enable organizations to take swift action again disinformation campaigns. Fake news spreads fast, so an organizations need to act just as quickly. From putting your response plan in motion, to communicating with your social media follow and stake-holders, to contacting social media platforms to have the disinformation content removed all need to happen quickly for your organization to stay ahead of the attack.

 

It may make sense to think of cybersecurity and misinformation as two completely separate issues, but more and more businesses are finding out that the two are closely intertwined. Phishing attacks rely on disinformation tactics, and fake news uses technical sophistications to make their content more convincing and harder to detect. In order to stay resilient to misinformation, businesses need to incorporate these issues into larger conversations about cybersecurity across all levels and departments of the organization. Preparing now and having a response plan in place can make all the difference in maintaining your business’s reputation when false information about your brand starts making the rounds online.

Making it Real

I just finished working on a cybersecurity policy for a relatively small dental practice in a large midwestern city.  The practice’s IT consultant with whom I was working was pleased with the results and said that this Practice was now “miles ahead of the other dental practices” in terms of its cybersecurity posture.  That many of the Practice’s competitors had “one or two” pieces of paper to describe their cybersecurity posture which he said was “one or two pages longer than it needed to be” to describe the security they actually had in place.

 I guess we shouldn’t be surprised.  Despite the headlines about data breaches or regulatory fines or lost revenue, cybersecurity for many firms remains an abstraction.  And when you are focused every day on real issues with customers, patients and staff, abstractions come last.

 The way to encourage businesses to focus on either risk or opportunity is to make the abstraction real and to provide an game plan which brings value to all who are involved.

 Making It Real

 In order to “make it real” for the business, you need three things:  1) a compelling (and simply told) story with characters in the story similar to audience; 2) a financial picture of the situation; 3) a happy ending.   Cybersecurity tells a lot of stories, almost all of which are fear-based.  That’s engaging to a point, put often the fear doesn’t seem relevant and it is out of context with the situation.  It’s scary to think Equifax can be breached and 147 million records were exposed, but what does that have to do with my Dental Practice?  If you tell me a story about a ransomware attack on a dental practice which cost the business $500,000 and that I have a 10% chance of experience a $20,000 ransomware loss and a 90% chance of a $1,000,000 loss, I have something to understand.  Then if you tell me that if a do A, B and C I can reduce my probabilities better than half, I see a happy ending.

 Bringing Value

 Someone once told me that the way they view cybersecurity regulation is like a law which states that if a thief breaks into a house and steals stuff, the homeowner is arrested.  Cybersecurity has been framed as a protection against the financial impact a business incurs when bad guys do something to us.  That creates a friction in our mind and pushes us against wanting to invest in something to protect against something that we wouldn’t do ourselves.

Instead, cybersecurity should really be framed in terms of reputation and brand.  It’s part of the care and service that you bring to your customer, the respect that you have for them and the trust you want them to have in you.  Reputational value is a combination of a lot of factors, but in today’s digital age, data privacy is a true (and marketable) benefit.

Telling stories which financial relevance which show the true value of cybersecurity to all stakeholders is difficult.  But if we want to make inroads to cyber protection, we will need to do so.

 

 

 

 

 

 

 

Building Customer Trust Before and After a Breach

There has been a lot of news in the past few years about increased cybersecurity regulations and the potential fines they could impose on companies. From the E.U.’s General Data Protection Act to the California Consumer Privacy Act, the thought of government fines have left many businesses worried. And while it’s certainly something to be concerned about, studies have shown that the biggest cost to organization’s follow a breach isn’t regulatory fines, but loss of customers.  

In fact, according to this year’s Ponemon report, lost business has been the largest source of breach costs for four years running. The report shows that, above all other factors, customer loss accounts 36% of the total cost of a data breach — or an average of $1.42 million in lost business 

Placing more emphasis on customer retention both before and after a data breach will therefore greatly reduce the costs a breach could have on an organization. The Ponemon report shows that where businesses that were able to keep customer turnover below 1% experienced an average total breach cost of $2.8 million, organizations with customer turnover of 4% or more averaged a total cost of $5.7 million.  

And there are a number of different steps an organization can take to help keep customer turnover as low as possible. 

Customer Retention, Before and After a Breach

Before

You don’t want to wait until after a data breach to tell your customers that you prioritize cybersecurity. It will come across as insincere. After all, what reasons have you given to make customers believe it? That’s why placing an emphasis on your commitment to cybersecurity and protecting customer data before a breach is essential. 

A key way to show your commitment is to have a governance structure in place that shows you prioritize cybersecurity. The Ponemon report shows that organizations with an established executive position responsible for ensuring the protection of customer data directly helps to reduce lost business.  

Educating customers about privacy is another great way to build trust. Be upfront with your customers when it comes to how you use their information and why. This can involve having an accessible and clearly written privacy policyinforming customers about your use of cookiesand recommending the use of multifactor identification 

After

In the event a breach does occur, not all hope is lost. Your customers will be rightfully concerned, but making it a priority to show what steps your taking to mitigate the effects of the breach will go a long way toward retaining those customers.  

An important way to show this is first and foremost to promptly notify those effected about the breach. If a breach occurs, you don’t want to look like you were dragging your feet. There is no surer way to lose customer trust than to seem like you’re hiding the fact that customer data was lost.  

After notifying your customers, you also want to provide help for customers that were effectedProviding comprehensive identity theft prevention tools and requiring customers to reset their password are two good ways to do this. In fact, the Ponemon report found that organizations that offered data breach victims identity protection experienced a smaller amount of customer turnover.  

 

After a breach, companies are fond of talking about the how committed they are to protecting customer privacy. But the bottom line is that you want to prove this to your customers. Showing respect for their privacy before a breach occurs and especially afterwards will greatly reduce the impact your company will endure.