What to do or not to do when communicating cyber breaches
When it comes to a cyber breach, it is no longer a matter of ‘if’, but ‘when’.
Canva, the Australian-founded global graphic design website was created with the future of design in mind.
“It would be online, collaborative and very simple”, said Chief Executive Officer Melanie Perkins. With a recent private market valuation of over $5 billion, Canva is one of the most valuable female-led technology start-ups in the world.
The platform put that valuation and its reputation in jeopardy last year however, through the poor management a cyber breach.
Canva had detected an attack on its IT systems, which resulted in 139 million users’ data being accessed, copied, and subsequently put up for sale on the dark web. While the technical handling of the breach appeared sound, Canva faced heavy criticism for their communication.
The initial email to inform customers of the breach buried the news under a paragraph of pure marketing. Readers were advised how “Canva ‘empowers’ people to do great designs” and of its acquisitions of two photo libraries as well as a new product for the US market.
Further discounting the impact of the breach, was that the email came from Liz McKenzie, Canva’s Head of Communications, rather than a CEO or other senior leader.
Following criticism from experts, Canva sent out a message that looked to address the issue. Their initial response was a clear case of what not to do. It displayed a lack of transparency that undermined the value of their crisis communications and clearly showed that they were not considering the personal impact on their users. The clouding of key information and the use of the wrong spokesperson would indicate that Canva had not prepared for such a crisis.Cyber breaches are so common now, organisations need to plan for cyber-crises by analysing key threats, testing scenarios and planning their likely responses.
According to the latest Telstra Security Report, 65% of Australian businesses were interrupted by some kind of cyber security attack during 2019. The Department of Home Affairs found the annual cost of cybercrime to the Australian economy to be $17 billion. Some breaches can inflict reputational damage on organisations that can take years to mitigate if they survive at all.
Uber learnt this lesson the hard way when they failed to alert users that a global breach resulted in the theft of personal data including names, email addresses and phone numbers, as well as the names and driver’s license numbers of about 600,000 drivers in the United States. Uber’s response was to pay the hackers responsible $100,000 to delete the data and keep the breach quiet. Once exposed, Uber had a lot to answer for.
The Australian National University (ANU)’s approach to their own cyber threats was more commendable. They were subject to an attack of alarming sophistication that all came down to an email sent to a senior member of staff. The email was previewed, which was enough for the hackers to open their first door. From there, a 6-week hack transpired that involved the theft of a wealth of personal data and priceless research.
Rather than shying away from communications, the ANU released a comprehensive report, marking the first time an Australian public institution had issued such an in-depth account of a cyber-attack.
In a world where cyber issues are prolific, ANU’s transparency is a healthy shift for all Australian institutions in representing cyber incidents and their responses.
Through openness, a more informed dialogue is created and we are all better equipped to appreciate and remain vigilant to the threat of cyber-attacks. ANU has spent million to upgrade its computer network, but no one is impenetrable.
Technological sophistication is one thing, but employees also need training to identify, manage and respond to cyber threats. Strong security awareness and practice are the responsibility of the entire organisation.
if you believe your business needs to make cyber security more of a priority, join our upcoming live webinar. It will cover legal, technical and communications of cyber security by respective leaders of each industry.
- Dudley Kneller, Partner (Intellectual Property & Technology) at Gadens
- Blare Sutton, Partner (Technology Advisory) at McGrathNicol
- Barbara Pesel, Managing Director at Pesel & Carr Strategic Communications
Inner wolf
Nestled snugly on an armchair or resting my head on the lap of a coworker, it’s sometimes easy to forget my heritage. Its commonly accepted that dogs evolved from the grey wolf, that was domesticated to protect humans, and help them to herd and hunt. We’ve come a long way since then, as I offer very little in the way of these services. There are occasional triggers however, that awake my inner wolf.
A skateboarder for example, sees me return to my origins, unleashing wolf like barks and displaying my canines. It’s a liberating feeling, as I feel myself becoming one with my history. I recently saw another dog unleash her inner wolf in another proud display of heritage.
Tilly patrols a luxury island resort on the coast of North Queensland. The gutsy guard dog recently leaped into the water to scare away a mammoth shark. Having done so successfully, she calmly dog paddled back to the shore and returned to the sand to continue scanning the coast.
It’s wild, inspiring footage courtesy of a very good dog.
Contact us to refine your business’s crisis communications.
