Emirates NBD bank recently warned customers to beware of a phishing email that was doing the rounds entitled “VAT Refund Notification”.
In a statement it released online, the Dubai-headquartered bank told people to be “highly vigilant and always check the source before clicking on any links or attachments in e-mails”. Customers were told by the bank that they would never be asked for personal details such as their username, password or PIN.
Emirates NBD’s statement is typical of the cautionary notes that banks and other companies across the globe have had to issue when they or their customers have been affected by cyber-attacks.
It was, according to those working in cybersecurity, just the way to react, with Jeff Ogden, general manager – Middle East at Mimecast, an email and data security company, highlighting the bank’s quick action through warnings and social media videos.
“There are different ways of doing these attacks, therefore, there are many different facets from a defence point of view,” says Ogden.
There are numerous measures major organisations like banks can take to prevent themselves from falling victim to phishing attacks, such as remaining vigilant to ensure that their email domains are not being used fraudulently.
“Another area is to make sure you’re monitoring all activity associated with spoof domains,” says Ogden.
Staff should be educated so that they, like customers, are wise to the risk of phishing emails.
There is good reason to do take all possible precautions to prevent a cyber-attack, because the consequences to a brand when the worst comes to the worst can be significant.
Ogden cites the case last year when the credit-monitoring company Equifax revealed it had experienced a severe data breach.
“Just in a day, I think their share price dropped by 13 percent. Many millions of users were compromised,” he says, referring to the day in September 2017 when the company’s value plummeted by 13.12 percent.
The harm caused by cyber-attacks, says Ogden, “goes into the tens if not hundreds of millions of dollars for the large multinationals”.
“And [there is also] the impact that is difficult to measure: whether a customer is comfortable to work with the organisation that’s previously compromised. It’s a difficult thing to measure, but it has an impact on the trust relationship with consumers,” he says.
So what strategies should companies employ to mitigate such reputational effects?
According to Dr Audra Diers-Lawson, a United Kingdom-based American academic who specialises in public relations, the first thing an organisation should do is to demonstrate what culpability it has or does not have, and then talk about how it is going to prevent a recurrence.
“If it’s data, how are they going to help the people affected? What are they going to do to re-secure the information?” she says.
“The most important step is reducing the uncertainty to customers or potential customers that they’re going to be protected.”
Wherever blame lies for the fact that an attack happened, Diers-Lawson says organisations are better off not being too vehement in denying that they are at fault
“They cannot deny it too strenuously or focus on a negative strategy,” she says. “The question is how do they move beyond it and what are they going to do to make sure it doesn’t happen again.”
Customers should be given all necessary support to deal with any effects that the breach may have had on them.
Technological security measures and reputation management can easily merge into one another, with companies advised to set up teams with technical and communications experts in advance, so that they can react promptly in the event of a cyber-emergency. Legal specialists may also have to have a seat at the table.
“In an ideal [situation] there’s a good level of communication between the communication fields and the technical fields,” says Diers-Lawson.
The effects on a company’s reputation of an attack are likely to be more modest if that business can demonstrate that it has consistently upgraded its software and hardware and that it has always done its best with security. There are few things worse than news coming out that simple patches could have prevented an attack, as has happened with some major incidents.
The reach of the company’s message can be maximised by using search engine optimisation techniques.
Looking further ahead, as the email security company Vade Secure describes in a briefing document, significant sums may have to be spent to try to repair reputational damage.
There may be expensive public relations campaigns, and market research to identify how additional advertising spending can improve a brand’s image with consumers.
Other measures to take, although their costs can be significant, are cuts in prices to generate interest from customers.
“If it’s the first time it’s happened, the public reputation of the organisation tends to come back relatively quickly,” says Diers-Lawson, who is a senior lecturer at the Leeds Business School, part of Leeds Beckett University.
Overall, as Diers-Lawson puts it, cyber-attacks represent “a very substantial risk” to a company’s reputation and brand. But responding in the right way, both in technical and communications terms, can mitigate the major threats that breaches can represent.
“It may hit the headlines for a little while, but if they show they are taking action, the effects aren’t particularly long term, unless it’s severe,” says Diers-Lawson.