Spoiler Alert: Skip the first paragraph to avoid a spoiler on the Morning Show
Tamara: I’ve been watching the Morning Show on Apple TV+. The big cyber-attack shutting down the newsroom and leaking performance reviews and salaries was high drama. And something you and I have witnessed too many times.
Are cyber-attacks and privacy breaches now a normal part of business? In your experience, is this translating to businesses getting smarter and doing the planning and training beforehand, or is it a case of desensitization and tuning out?
Dominic: As more incidents have occurred in the last decade, clients have become desensitized. Once the stories start hitting the 6 p.m. news, which we are seeing now almost daily, people quickly check out.
Many of our clients, who are small and medium-sized businesses, are more familiar with the breaches than ever, but it’s like eating a hamburger every day when you have a heart condition. They know they will face many problems but will still eat at Burger King daily.
And we saw this reactive response escalate further as we heard about a potential recession.
Today, almost all our clients at Cyber SC are reactive. There is almost no proactive cybersecurity work. Their spending is now almost exclusively oriented around incidents. We no longer even try to propose planning and training since they will likely only sign up with us for support and advice once an incident occurs.
Tamara: They still don’t want to invest in prevention on the crisis communications side either. We’ve had clients whom we helped through a cyber and privacy breach, and then after when we’ve said it’s time to wrap this up into a full crisis comms plan, they say no.
Dominic: Ironically, we can charge more once an incident strikes because the client will see the kitchen is on fire and open the wallet. But we’d still prefer to do advance planning, or at least develop a plan after, but three months after incident spending, the wallet closes before good planning and training is done.
Tamara: My dad was an electrical contractor, and if you do your own wiring, there is a lot of risk, which meant people would call him after trying to DYI it. He had two prices, and guess which was higher!
What are some trends in how you see clients handle major breaches publicly? Are people managing it proactively or trying to keep it up?
Dominic: It’s a mix of both. Many clients want to be transparent but have to make sure it's not too much information. Some are less transparent and want to hide behind broad general statements. I’m not a fan of that. Some state what you know and don’t know, what they’ll be doing, and when you’ll next hear from them. And still, some others try to sweep it under the rug.
If trust is currency or regulated, it tends to be more transparent. Some aren’t really regulated and don’t care, so they don’t say much.
Tamara: What is something encouraging that you’ve seen in the past year?
Dominic: When incidents happen, organizations are paying for expertise, and part of that is they are realizing they want to avoid it happening again.
But there is a recency bias — a six-month window to spend, but they don’t invest after nothing happens.
Tamara: Where are the attacks coming from?
Dominic: There are still a lot of data breaches, hacking and ransomware done by professional global criminal syndicates, often tied to challenging places like Iran, Russia and North Korea.
They are focusing their attacks on small/medium businesses because they are at risk. The pandemic caused more digital and cyber-attacks and increased velocity and intensity.
An interesting development is a shift in business approach for impacted companies. In the past, they relied on insurance to “fix” the problem after the attack came. But now cyber insurance is cracking down. Insurers realize that they can’t hand it out like candy. The claims started increasing, so they started pulling back and asking for requirements over the last 18 months.
If the company can’t prove they invested in prevention, claims are now denied.
The criminals are clever: they know the big companies are prepared, but there is vendor/supply chain risk. They attack the smaller organizations that are connected to larger ones.
Tamara: What about AI and cybersecurity? What is the link?
Dominic: Right now, AI is the flashy topic. But basic cyber security should still be the focus. The time to have invested in that was 20 years ago. Get that done first.
If you don’t, AI becomes not just a crisis but an existential threat to businesses. If you haven’t built cyber security by the time AI comes, you will be obliterated. A way to think about it is that your security debt will get canceled, and AI will be the catalyst.
Tamara: We see clients with major reputational threats merely because a single person didn’t have two-step authentication on their email or Instagram account. They are talking about AI but don’t have the door locked.
Dominic: Agree! Two-step authentication is the basic hygiene of cybersecurity, and it is often ignored.
As always, thanks for the chance to connect. It's much nicer discussing trends and the future rather than an urgent client crisis!