InfluenceChronicles.com -- With cybercrime against U.S. corporations increasing beyond already epidemic levels, its victims remain largely ambivalent about when, why and how to communicate about it.
According to the advocacy group Privacy Rights Clearinghouse, U.S. companies have been hit with more than 2,600 significant network hacks and breaches since 2010. Yet the Wall Street Journal reports that in that same period, barely one percent of all publicly traded corporations disclosed any cyber-crimes in their Securities Exchange Commission filings – an apparently glaring contradiction in this era of hyper-transparency.
For some of these companies it’s also a precarious position. Consider the potential fallout should a company be forced by events or law to disclose a significant data breach, which in turn unveils previous incidents that were kept hidden from investors and customers.
So why are so few companies not communicating beyond what's required by current disclosure regulations? Here’s one reason: As a reputation risk management problem, a network hack or data breach constitutes a uniquely complex corporate PR crisis:
It’s no wonder that senior execs are more concerned with managing cyber threats than with almost any other risk to their companies’ reputations.
And it’s why many tried-and-true rules for crisis communications no longer apply.
InfluenceChronicles.Comm -- A new survey says three-fourths of corporate data theft is caused by “insider negligence” -- a nice way of saying “companies that for some reason still let employees do internal email while connected to a free wi-fi service.”
As many companies and politicians learned the hard way, hackers love stealing emails in part because of the whacky fun that ensues when made public. And cybercrooks are becoming steadily more proficient in how they leak e-plunder to mess with the victim’s reputation and operations for as long as possible.
Here's the kicker: More than 60 percent of those surveyed said they have access to company data that they shouldn’t see. "Too many employees have too much access to the company’s most valuable information," said the lead researcher. “Beyond what they need to do their jobs."
Worse still, a third of those companies don’t monitor any of the email their people are sending and receiving, including file attachments.
Change is coming. As the cybercrime epidemic continues, companies and organizations will begin compartmentalizing more information to the old “need to know” standard. How much that mitigates cyber-related reputation risk… We’ll see.
There’s more at The Wall Street Journal Risk Report.
Illustration | My Security World blog: Eight things to stop doing immediately