Cybercrime – from the IT Department to the Boardroom

September 8, 2015

By: Brian West

Where we shop and what we purchase, to how we travel to work, we constantly give up personal information for the sake of convenience – the Internet of Things (IOT) has effectively made mines out of our mobile phones for marketers to profit from. But while we now get personalized messages and offers, we easily forget that every innovation of Big Data that captures personal information and monitors our activities also raises the threat level.
Every day, we seem to hear of a new security breach and tens of millions of peoples’ records being stolen from organisations that employ a phalanx of IT professionals whose duty is to protect this data.

Today’s security paradigm is such that companies have to be right 100 percent of the time, whereas cyber-criminals only have to be right once in any number of attempts.

The standard company response before, during and after a cyber-attack is that it is an IT department issue. But is it? Let’s look beyond the IT department.

For example, employees that handle increasing data loads can make mistakes: the passport numbers, dates of birth and visa details of leaders attending the G20 Brisbane summit in November 2014 were mistakenly emailed by an Immigration Department official to a member of the Asian Cup Local Organizing Committee prior to the G20. Employees, regardless of department, can also fall victim to phishing (opening an email attachment that unleashes malware).

Where does this ultimately take us? To both the C-suite and the Boardroom. The CEO needs to lead this whole-of-company approach, and the Risk Committee of the Board of Directors has to provide strategic counsel, direction and oversight. Cybercrime is the fastest growth industry in the world and companies need a holistic approach, rather than the traditional, often siloed approach we see.

These are the building blocks to a great company-wide approach to cyber defense:

  • Data security from IT
  • Prospective and current employee screening and training in data protection and ethics by HR
  • Compliance by the Legal team; threat analysis by the Risk team
  • A robust Business Continuity Plan
  • Incident preparedness and management training by PR, including the Investor Relations team
  • Anticipation of tomorrow’s regulatory environment by GR
  • Company culture – built over time; that understands they are protecting not their own data but more importantly, the data of their customers


In 2013, Target destroyed the trust of their key stakeholders by delaying disclosure of their breach while they investigated. They failed to recognize that those whose data had been stolen had a right to know immediately.
Conversely, earlier this year, medical insurance company Anthem Blue Cross seized control of their reputation by announcing their breach immediately, and kept customers updated constantly. If anything, Target and Anthem’s share price movements during and after the crises gave validation to the better handler of crises, Anthem – they actually managed to build goodwill.

Sun Tzu once said: “Every battle is won before it’s ever fought.”

Companies need to stop and assess the bigger picture – what should their strategy be? When a crisis hits, don’t waste it:

  • Create a Guiding Light Strategy right off the bat (this gives the company a real chance of emerging from a crisis stronger than before)
  • Take a step back and undertake an objective analysis of how it started
  • Look at it through the lens of the stakeholders and decide the reputation you want for the company long after the crisis

A Guiding Light Strategy forces companies and executives to focus holistically on the company and its reputation – to change the conversation from one of defending, to one where the control is asserted by virtue of the authentic promises it makes about the importance of its customers, employees and other key stakeholders.

This is where the company moves from reacting to proposing; from following to leading; from defensive to assertive. They are in fact reaffirming what the company stands for, bringing its values to life in a crisis through its actions. The Guiding Light Strategy takes management from managing a crisis to leadership during a crisis.

Finally, recent global cyber-attacks have everyone focused on pre-determined ‘how to respond’ lists; response manuals are built around them. While this is a practical part of addressing a problem, it unfortunately focuses company management on simply managing a crisis, rather than rising up out of the crisis as an authentic leader.

If a crisis came calling today, are you comfortable that your company has the right plan and the right people in place, fully prepared to respond swiftly and effectively and to show authentic leadership? Or are you simply in a position to check boxes off a list?

Brian West is the global lead of FleishmanHillard’s Crisis Management practice. You can reach him at