Tackling the threat of cyber attacks

You’re working late in the office and receive two calls.

One is from a Mr Bogius De Hacker at an email account in Lagos asking your company to settle a previously unseen invoice for a large amount.

The other is from a journalist asking about the itinerary for your chief executive’s forthcoming trip to Brussels.

What do you say to each?

Not many communicators would reply to the Nigerian scamster but neither, according to the latest security advice, should they respond to the reporter.

The reason is the rising danger of cyber risks and the growing use of ‘social engineering’ techniques by scammers and hackers.

Even the most vigilant of corporate communicators may be comparatively relaxed when it comes to policing their chief executive’s blog or Facebook or LinkedIn page or indeed populating their own.

Yet, cyber risk experts warn that such information is increasingly being used by criminals to make identity fraud, fake invoice demands and other scams appear more credible.

‘You may think it’s an innocuous request from a media name you know well,’ says Ashley Hurst, partner at law firm Olswang, ‘but information about the whereabouts of your senior executives or profile information about them can be used for social engineering purposes by people who want to operate a scam.

‘This sort of information can be used to populate an email from what looks like a real email account and is sent to personalise a request for an urgent payment.

‘Details in the email about the CEO going on a certain business trip or speaking at a certain conference can lead to the fraud not being spotted. These things are really easy to fall for, especially when people are on their mobiles and get lots of emails, so they don’t always check the email addresses. It may not be as obvious as a Nigerian scam but it can be just as damaging.’

Indeed, research published recently by online reputation and digital intelligence firm Digitalis Reputation claims companies are vastly underestimating these risks. It says cyber criminals are increasingly targeting employees in sensitive roles, including corporate communications, who have disclosed personal information on social media and company websites.

A survey of 1,049 business leaders carried out for the report by pollsters YouGov found that 61 per cent of British bosses are aware of the threat posed by social engineering attacks to their business, 62 per cent issue guidance to staff on digital security and 41 per cent tell employees that human error is a key cause of cyber security breaches.

However, just 51 per cent of business leaders restrict who can see their Facebook profile, 36 per cent act upon changes to privacy settings on social media sites and fewer than one quarter regularly check what information is available about themselves online or review social media data-sharing policies.

The report says such lapses are leading executives to give away company secrets, transfer money to criminals, or allow hackers access to company networks by clicking on links.

Victims include a chief executive who posted his birth date and mother’s maiden name on Facebook, an ultra-high net-worth businessman whose teenage daughter inadvertently accepted friend requests from an investigator employed by a competitor and a well-known entrepreneur whose children posted details of their holiday venue, travel and security arrangements online, together with pictures of the family car’s number plate.

So what should companies and their corporate communicators do about this burgeoning issue?

Experts believe corporate communications offices play a vital role because they’re likely to be highly active on social media and will have the task of explaining and mitigating any breach that does occur.

Digitalis chief executive Dave King says: ‘What’s interesting about communicators is that they very often control the social media of their organisation and its senior executives. If what we’ve learned here about how social engineering is intrinsic in almost every major hack, if that should make everybody paranoid, it should make head of communications most paranoid of all.’

Jon Moger, a senior director for Europe, the Middle East and Africa at Aruba, part of computer group Hewlett Packard Enterprise, believes the problem is compounded by the increasing proportion of employees that belong to ‘Generation Mobile’ – youthful employees who find it as easy to share a status update as they do to share a password or mobile device with a colleague.

My advice to people in senior communications roles is to focus on practising hypothetical scenarios and think about how they would respond and liaise with lawyers and investigators in different situations

‘What do you do?’ he asks ‘Lock down all mobile devices? Implement a highly-restrictive password policy? My advice is not to throw the baby out with the bathwater. This new generation brings big-thinking creativity, better collaboration and new ways of doing things – priceless assets in an era when consumer behaviour is changing so quickly.’

King also believes communicators need to be pragmatic about the increasing data security threat. ‘Does it mean they can no longer communicate?’ he asks. ‘Of course not, but they need to begin to recognise the kind of tidbits of information, which, when combined, can pose a threat.

‘They could refrain from putting some information online. People shouldn’t put their date of birth on LinkedIn or be publicising their mothers’ maiden name or their pets’ names without thinking about it.

‘With other pieces of information that’s mundane, there’s nothing wrong with putting it out there but communicators need to be conscious that it could be used against them and be wary of any such threat.’

Hurst agrees that realism is key. ‘Press offices don’t need to always know where the chief executive is,’ he says. ‘The important thing is to have policies and practices for dealing with enquiries and to test them out, for example with mystery callers to see if the press office can spot the tell tale signs of a fake caller.

‘My advice to people in senior communications roles is to focus on practising hypothetical scenarios and think about how they would respond and liaise with lawyers and investigators in different situations. Where there has been a breach, you sometimes don’t want to say nothing because that looks like you’re not dealing with it properly but if you open up too much you risk opening up holes for journalists to dig into.

People shouldn’t put their date of birth on LinkedIn or be publicising their mothers’ maiden name or their pets’ names without thinking about it

‘A really smart communicator will know how these things have played out in the past and be prepared to withstand the media pressure and then shift the focus to explaining what the company is doing, whilst not saying too much about what has actually happened.

‘The people who do this best are prepared to stonewall a little while they investigate. And whether you put the chief executive on television to explain it all really depends on the CEO in question and how they communicate.’

An example of this came last October when TalkTalk chief executive Dido Harding, in an interview to explain what the company was doing about a security breach that saw the accounts of 156,000 customers hacked, admitted that she didn’t know whether information on the group’s servers was encrypted.

A better approach, say communicators, would have been to stress the complex and sophisticated nature of the attack and the expertise of the engineers dealing with it, offer advice on how to stop the data hacked appearing on the dark web or falling into other unwelcome hands and promises to share the facts of the matter when they were clear.

The rules of engagement on such occurrences, however, are about to be codified in a new European Union regulation that will both standardise how corporates should respond and introduce a tough regime of penalties for non-compliance.

The General Data Protection Regulation, which was approved by the European Parliament earlier this month and comes into force in 2018, will give organisations 72 hours after the discovery of a data breach to inform the regulators and subjects of the data.

It will make it compulsory for them to have regular drills of their procedures and will give the victims of data hacks the right to sue the organisation responsible.

Magnus Boyd, partner at law firm Schillings, states: ‘Communicators deal with their clients’ most sensitive commercial and sometimes personal data so it is absolutely disastrous if they get hacked.

‘This new EU regulation will probably be the biggest and most important single piece of litigation the EU has ever produced. It will be huge and expensive for everybody, including communicators, to introduce.

‘People are going to have to treat the management of data breaches in the same way as they treat the preparation for a fire drill. Everyone will need what they’re going to do in the event of a hack and a breach. Everyone will need to act responsibly and if they don’t there are some pretty Draconian fines.

‘Very few companies are ready for this regulation and I would imagine that PR as a sector is probably lagging behind. I don’t think the sector is alive to this area as it might be.’

Maybe it’s this increasing gravity and risk profile that makes the data security issue seem too hot for some communicators to discuss publicly.

Nick Cosgrove, a senior consultant at financial PR agency Brunswick, advised the company’s client Dixons Carphone, which announced last August that it had suffered a data breach that may have led up to the details of 2.4 million of its customers being accessed.

Up to 90,000 customers were said to have had their encrypted credit card details accessed. Dixons Carphone chief executive Sebastian James said he was ‘very sorry’ that customers had been affected.

Generally, people are so enthusiastic about social media that they sign up without fully understanding what the terms and conditions are and how they impact their privacy

The company said it was informing all those involved and advising how individuals could reduce the risk of further adverse consequences by notifying their banks, checking their credit ratings and changing online passwords. It is understood that none of the company’s customers lost any money in the attack and that Dixons Carphone did not see the need to issue any further communications on the matter.

Dixons Carphone and Cosgrove, however, declined to talk to CorpComms Magazine about the issue.

Rod Clayton, executive vice-president of PR agency Weber Shandwick, believes companies and communicators need to take a more proactive approach, helped by the development of Facebook at Work and other walled-off sites that are separate from workers’ private social media pages.

‘Generally, people are so enthusiastic about social media that they sign up without fully understanding what the terms and conditions are and how they impact their privacy,’ he says.

‘There’s this tension between enjoying social media, feeling that one ought to be active on it but managing what it actually reveals. It’s a very interesting area when you voluntarily give up information about yourself. People are cavalier about these things yet when it comes to losing money, they’re remarkably intolerant.’

Companies and their communicators perhaps demonstrate the same contradiction. Where finance is involved, however, it normally wins the argument. Watch this space very carefully.