The biggest challenges for the PR industry are the matters related to cybersecurity and Internet of Threats which is how Melissa Hathaway, one of the leading experts in cybersecurity who worked for Bush’s and Obama’s administration, calls the Internet of Things. This challenge can be compared to the revolution in communication which took place several years ago when social media emerged. Thanks to it, we’ve became more digital and finally received tools which analyse our company actions and most of all – provide direct contact with our consumers. These are the advantages. The speed at which crises escalate right now is a major drawback along with the fact that it often takes a single post to start it. Many brands learned how to prevent such events and how to predict the course of actions. Thanks to constant social media monitoring, we are able to spot the starting point of a crisis and apply approprie procedures in order to contain the crisis which is going t happen anyway.
The future that’s already here
You may have thought that thanks to media monitoring, trainings and perfectly crafted crisis procedures, you are safe. Far from it. The net provides much more dangerous threats which we are not able to spot until the very last moment. And such situations may be in development process for a lot longer than we think. According to Johan Arts, the vice-president of IBM Security Europe, it usually takes 200 days from the moment the cyberterrorist has infiltrated our system to the discovery of the attack. In the meantime, the effects of such break-in may see the light of day which in turn causes a much bigger breakdown than a social media crisis. That’s the main challenge related to the area of expertise called cybersecurity.
The threats arising from cyber attacks are real and have significant effect on whole sectors of economy or even countries. WannaCry ransomware attack is a good example: in 2017 it blocked hundreds of thousands of computers around the world. Another example: a recent attack on Poland and Ukraine with NotPetya which has also affected numerous European companies. And contrary to the popular belief, this is not about some intelligence agencies business or break-ins to government severs. The latest attack on British healthcare system was particularly difficult for thousands of patients while the acquisition of selected American companies’ data by the hackers allowed them to manipulate shares on Wall Street. And these are real crises which we, communication specialists, will have to cope with in our daily work. And that’s just a small fraction of what’s going on in cyberspace.
Sir Julian King (European Commissioner for the Security Union) who was one of the main speakers at CYBERSEC Forum this year stressed that we should change the approach to the feeling of security and treat real and cybersecurity with the same attention. That’s because these two worlds intermingle and have the same impact on our lives nowadays. Sir King also mentioned several interesting numbers which should help us understand how real is the web-related threat (based on European data):
- 5 dollars – for that price people on the dark web are offering a hack attack service
- 4000 cyber attacks – is ransom ware per year
- 1000 cyber attacks – takes place per month in aviation
- 1 billion Euros – is collected from the cards per phishing scams.
- 350,000 – shortfall of cybersecurity specialists personel
- 1.8 billion – value of investment to be implemented
What’s interesting is the fact that, according to Arts, 60% of these break-ins is caused by internal security flaws in a company or institution. It’s hard to argue with that, especially after reading about ShadowIT, a problem at many companies, where computer users create a second IT circulation by installing given software and apps, without internal IT departments consent or even knowledge. I won’t even mention PR departments which probably have no idea how dangerous is the lack of basic security norms obedience for the image of the company. This subject deserves more attention if successful crisis procedures are to be introduced.
Another problem of PR which may seem unrelated at the first glance is the approach to design and production of devices sold by companies. As proved by Melissa Hathaway, security should be treated as a routine engineering process starting at the design stage. In my opinion, we should have similar approach to the communication process – we should address it as if it was an engineering task. Currently all cybersecurity matters need to be discussed in the very beginning of works on the marketing and communication strategy. Therefore it is a good idea to invite an IT department member or a person responsible for safety in the organisation to the next meeting, at which the strategy is discussed.
We cannot trust the IT infrastructure blindly. Joel Brenner, the former general inspector at NSA said that there is no other area of our lives and economy that’s as vulnerable as software and hardware. Can you imagine “updating” an underdeveloped medicine or “patching” a brand new car? Our lives rely on this solutions and it’s time to treat IT solutions the same way since, as we can see, they have a critical impact on our lives. Brenner also compares the security system to human immune system and adds that we should keep working on new solutions which are supposed to strengthen it and make it more immune to new threats. Let’s think about the HIV epidemic. What have we done to contain it? Education, prevention, research, social campaigns, healthcare for patients. Let’s now consider the cyber attacks an epidemic an e-HIV. Wouldn’t it be reasonable to introduce similar measures, also within companies, which is, de facto, a part of internal communication? We have to remember that the “digital HIV” is not only a threat to typical IT infrastructure (corporate servers, desktop and laptop computers). The Internet of Things brings more and more potential hosts to the virus, and by IoT I mean a wide spectrum of devices from toys for children to cars, ships and even satellite systems. That’s why I used Melissa Hathaway’s term the Internet of Threats; she thinks that we shouldn’t recklessly connect everything with the network.
Dark and bright side of AI
Another thing that becomes increasingly dangerous in the wake of dynamic development of cyber attacks is an increasing application of artificial intelligence. Of course, I’m far from being as sceptical as the authors of pessimistic AI development visions seen in movies about war of people and machines called terminators. I’d rather focus on simple AI systems such as advanced chatbots, which – if they are controlled by hackers – can do harm to our organisation and hundreds/thousands of clients, we worked so hard to acquire (also communication-wise). This also changes the reaction to the crisis. Before the times of social media, we usually had few hours to deal with the situation before the information is broadcasted during evening news or published by the press. Facebook and Twitter give us only minutes t to react, while during cyber attacks it’s often about seconds. If you’re interested, here’s a great simulation of a cyber attack crisis presented second after second by IBM. A real eye-opener. https://www.youtube.com/watch?v=sHrgVqKW1RQ
Of course, there is also a bright side to AI systems. In our company, we can start working on the implementation of a solution which will automatically run crisis management procedures in case of an attack including notifications sent to key persons and possibly external PR specialists, publication of readymade announcements on company’s website, separation of the infected department from possible external communication channels or social media etc. There will probably be some completely revolutionary ideas for us – PR specialists too. At Planet PR we have been discussing the idea to design such solutions for a while.
Getting back to the main point, cybersecurity. The first question is – what possible threats we are facing here. The answer is simple – it’s about data. Data is the currency of 21st century, which in many places is more important than the regular currency. That is because financial loss can be retrieved while lost data may cause a halt in production on one hand a severe image crisis on the other, when the data becomes public.
As written in Cisco 2017 Annual Cybersecurity Report, 22% of companies which have been attacked in cyberspace lost their clients (for 40% of them it was more than 20% of all their clients). Also, it’s obvious how difficult it is to rebuilt public trust you spent years on building. It’s the loss of data (and ways of data storage) that is the foundation of a new EU directive called GDPR (General Data Protection Regulation) which will become effective in May 2018. It gives local and international authorities a powerful set of instruments to use to fine companies and institutions which leaked data or neglected the storage of data.
The question whether we, the marketing people, would like to have access to more specific client information is probably a rhetorical one. Clients provide the information about themselves by logging everywhere, paying in so called free apps or services with their facebook accounts or e-mail addresses. We know more and more about them. And even though Google and other companies provide more and more ways to block online tracking, people still act as if digital reality and security were something completely unrelated to their lives. Ask your friends who have Google accounts if they entered the My Account section at least once and checked how they can turn off advertising tracking. That’s why it’s our role as communication specialists to provide the sense of security because people trusted our services and let us collect additional information about them which in turn undoubtedly increased our effectiveness.
So what can we do to protect ourselves, improve our communication procedures or take part in the security improvement process in the company? Firstly we should learn ourselves – for example what are the contents of the abovementioned GDPR Directive or the basic IT security principles which can be found either in our IT departments or on websites devoted to cybersecurity. Trainings are yet another way. We should start thinking about them right now and plan attendance in order to be up to date with all information about threats that can cause a crisis in our organisation. It’s a good idea to join forces with IT departments and organise trainings with a simulation of a cyber attack on our company combined with the leak of data to the media and social media (I just leaked a part of our new offer we’re working on at Planet PR this quarter :)). In simulations it’s importnat to focus mainly on all effects of such attacks, not only on prevention and security measures.
Internal communication or “Culture” departments should also focus on education on the Shadow IT problem – double IT circulation. Let’s support IT department in the often uneven fight with corporate users, since it’s these departments that are responsible for minimising the cyber attack risk on our organisation. Unfortunately the relations with “IT guys” are often “distant” which often complicates the work on procedures, VPNs and other solutions that are seemingly tiresome. The goal of internal communication should be to build a culture of understanding and cooperation with the people who care for our cybersecurity. We should take some simple steps to prevent our work tools too – take a closer look at what you are using to work (external cloud drives, external apps) and whether you can separate one computer without network connection, where the most vulnerable data (i.e. strategies, financial documents or media contacts which to many PR specialists are the most valuable information) can be stored.
Cybersecurity is currently the basis of our life, therefore it’s time for communication specialists to implement it as one of the foundations of their work.
Author: Lukasz Wilczynski, President of Planet PR and CEE Manager of GlobalCom PR Network