By Reg Harnish
Originally published by O’Dwyer’s
Cyberattacks present media with the type of drama they crave for good headlines. They also present an interesting psychological phenomena: on one hand, they’ve become part of the world in which we live; on the other, each headline can set the public into cyclic worrying. Is my financial information safe? Will I wake up in the morning with an empty bank account? Has my identity been stolen? To your business, it’s an organizational crisis. To your customers, it’s personal.
The affected company scrambles into action. It soon declares the problem “fixed,” perhaps offers assistance to any stakeholders dealing with the aftermath, and the public moves on, some believing in the “new” level of promised security and some moving their business — and their data — to the competition.
And then the next attack happens.
There are three key rules in the cybersecurity realm. Rule #1: you will experience a breach; rule #2: cybersecurity is less of a hardware or software issue, and more of a human, psychological issue; rule #3: the most effective response for protecting your reputation and your business is proactive planning for both cybersecurity and crisis communications.
A cyberattack is also a PR crisis; its potential impact must be considered in your communications program. Many customers and stakeholders equate cybersecurity with the best software program, government-standard data encryption, or lax human resources and physical location policies. In their minds, a cyberattack is you breaking your promise; it has become a violation of their trust in you. You risk a breach not only to your data, but your reputation.
You will experience a breach
Like any crisis, cyberattacks occur with varying levels of severity, from a virus causing various degrees of harm, to major enterprise breaches and stolen data. According to CRN, data breaches were particularly big in 2015. In 2013 we had the infamous Target retail data breach that still commandeered 2014 headlines, while in 2015 government office breaches appeared to be a particular target.
How can these breaches happen? After all, our government and major U.S. businesses spend millions on cybersecurity. (Target had just completed its mandated cybersecurity attestation a few months before that major hack.) Collectively, organizations of all forms invest billions of dollars in cybersecurity and work hard to remain compliant with mandated cybersecurity measures. But the harsh truth is, the investment can’t just be in dollars, and compliance doesn’t equal security. The state of cybersecurity today is not if, but how often and what impact each attack will have on your organization.
The truth is, compliance, whether voluntary or mandated, can be a distraction, giving organizations and their stakeholders a false sense of security. The best security programs guarantee compliance, not vice versa. Do you understand the gap between your compliance program and your ideal security program?
The reality is that compliance makes you feel secure when you’re not.
Cybersecurity is a human issue, not a technology issue 
The best cybersecurity program is a process, not a piece of software. Seven out of 10 cyberattacks will get by any software, and none of them adequately compensate for human error. Your CIOs likely know this. Investment in hardware and software is important, but the greatest risk to your organization is the people within it. You must move people to the top of the cybersecurity assessment and management list.
Read the original O’Dwyer’s PR story here.
* * *
Thomas Graham is CEO of Crosswind Media & Public Relations. Reg Harnish is CEO of GreyCastle Security.
This article is featured in O’Dwyer’s Jan. ’16 PR Buyer’s Guide and Crisis Communications Magazine
