News Stories · Technology Management - Strategy

You will get hacked – you need a proactive cybersecurity plan in place

The response to a data breach can make or break a company’s reputation – and reserves – says Oyku Isik, IMD Professor of Digital Strategy & Cybersecurity.
September 2020
 - IMD Business School

In the past several years, digital transformation initiatives have been on the menu for many organizations. But since the pandemic swept shut many countries, cities and companies in March 2020, this digitalization of our workforce and processes has become a rush order.

What effect does the rapid digitalization have on vulnerability?

With employees working from home, isolated and dependent on the security of their home wireless networks, the answer is clear: increased vulnerability to cyberattacks.

Yet Öykü Isik, IMD Professor of Digital Strategy & Cybersecurity, says that the real danger does not lie in the cybersecurity incident itself, but in the company’s handling of such attacks. By prioritizing processes, she says victims can limit the damage done to their data, their customers and their coffers.

“Digital transformation and cybersecurity are intertwined; thinking of digital transformation without considering cybersecurity is like walking out without an umbrella even though the forecast says rain,” says Professor Isik.

Contrary to popular belief, all companies will suffer a cyberattack at some point. The question is: What will they tell their customers and shareholders if they fail to handle it well?

“People stop interacting with a company or a brand if a breech occurs. Bottom line is at stake here. Having this strategy is as important as having threat detection and prevention strategies, if not more—it’s the moment all eyes are on you,” says Professor Isik.

“Cybersecurity is important for your reputation. The number one cost-driver of a breach incident is the decline in reputation.”

A sound investment: prevention and response plans

In other words, organizations should put more emphasis on building cybersecurity into their infrastructure, systems and activities from the beginning.

More and more consumer research (for example, FireEye Research) points out that a significant majority of consumers would not digitally interact with brands if they suffered a cybersecurity incident; a significant portion would completely abandon the brand.

According to Professor Isik: “This clearly shows that consumers have expectations about how organizations manage their cybersecurity, and these expectations are becoming more demanding.”

Many organizations have invested in prevention and detection, but not all have created or perfected their response strategies. This step is crucial to reputation management and can minimize damage both to the organization and its consumers.

“This is not about marketing yourself as an ‘unsinkable ship’ like Titanic – we all know how that ended,” explains Professor Isik. “This is about being stronger, being transparent about your priorities, and letting customers know that cybersecurity is a legitimate management topic.”

Rather than just a necessary evil of digitalization, she encourages companies to think about how cybersecurity contributes to their unique value propositions.

“If reliability or confidentiality is something your company values, then cybersecurity is a vital component,” says Professor Isik.

And while cybersecurity is often seen as a sensitive topic, companies in several industries – including financial services – are now sharing information about threats and how to remedy them with peers.

“By following suit, companies can increase threat intelligence as well as credibility in the eyes of their stakeholders,” advises Professor Isik.

Professor of Technology Management Öykü Isik is leading the session OH NO! You’ve been Hacked – Now What? at OWP liVe in November.