Issue Twenty Four

April 2023

The constant evolution of our landscape is introducing new challenges in cybersecurity, data privacy, and international relations. With cyberattacks posing a constant threat to businesses, it has become increasingly apparent that developing a proactive communication strategy is essential to survive and thrive in this digital age. Organizations must focus on transparency, accuracy, and adaptability - fostering resilience in the face of adversity.

The FBI's latest Internet Crime Report reveals the alarming sophistication of cybercriminals, as financial losses reached a jaw-dropping $10.2 billion in 2022. Top threats include phishing, business email compromise, investment fraud, ransomware, and call-center fraud - emphasizing the critical role of the human element in cybersecurity breaches.

The recent tensions between the US and China, as exemplified by TikTok's CEO, Shou Zi Chew, testifying before Congress, illustrate the increasing complexity of navigating the digital space. The RESTRICT Act, legislation aimed at protecting sensitive American data and national security, has sparked intense debate over transparency, user data protection, and the role of social media in modern society.

This month’s issue of Target Lock delves into Silent Quadrant’s perspective on the interconnectedness of cybersecurity, data privacy, national security, and international relations. Enjoy.

ZEROING IN

Plan now to avoid a communications failure after a cyberattack

CSO

Within today's digital landscape, cyberattacks are an inescapable reality that business leaders must confront head-on. Addressing the repercussions of such incidents goes beyond implementing technical fixes; it necessitates the development of a solid and proactive communication strategy. As Eden Winokur, head of cyber at Hall & Wilcox, forcefully asserts, "Communications are a critical component of a good cyber strategy, and it should be prepared and practiced in organizations before an incident occurs."

When faced with a cyber crisis, organizations must prioritize transparency and accuracy in their communications. This commitment to clarity extends to not only staff but also external stakeholders, customers, and clients. Winokur recommends utilizing adaptable statement templates that can be quickly tailored to specific situations, ensuring a consistent message across multiple channels.

However, while rapid communication is crucial during these incidents, precision is equally critical aspect of balance. Andrew Moyer, executive VP and GM with Reputation Partners, cautions against making definitive statements too hastily, which may later necessitate revisions. He emphasizes that "what you don't want to do is say something with such specificity that you risk having to walk it back and you lose credibility."

To create an effective post-incident communication plan, organizations must design a well-defined information flow and assemble a crisis response team, comprised of members from the security team, communications, and HR departments. Moyer underlines the importance of regularly testing the plan, stating that "reviewing gives you that regular ability to evaluate your risks." By continually assessing and refining the plan, organizations can be better prepared to handle cyber incidents when they arise.

A successful response to cyber incidents hinges on seamless collaboration between the operational response team and the communications team, as both groups need to understand each other's roles and responsibilities. Moyer explains that the goal is not to "overburden someone focused on a critical operational response with communications," but rather to guarantee that information is efficiently disseminated throughout the organization.

Early detection of cyber incidents is not only essential for damage control but also for managing the response. Paul Black, a partner in KPMG's forensic services, advocates for organizations to invest in cyber insurance that covers PR and crisis communications, which will facilitate effective responses to incidents and assist in handling disclosure obligations.

Additionally, Black emphasizes the importance of conducting regular simulated scenarios to stress-test the response plan. He argues that these exercises help uncover gaps in the plan, enabling leaders to enhance their capabilities. He concludes, "The organizations that respond most effectively have invested the time in challenging themselves and their senior leaders and learning from those exercises."

In addition to these steps, it is crucial for organizations to keep relevant stakeholders informed, both internally and externally. This involves analyzing and recording all key organizational stakeholders and maintaining this record as circumstances change. Winokur also suggests that companies should thoroughly review their key contracts to understand their obligations concerning communication with customers.

It is also essential to recognize that internal communications can quickly become external in the age of digital communications. As Black points out, "These things can be incredibly sensitive. It may not be appropriate to release communications internally to say: 'we've suffered a data breach, we're investigating it' because the next day it could be on the front page of the newspaper."

Crafting an effective and forceful communication strategy to handle the aftermath of cyberattacks is vital for business leaders. By investing time and resources into developing, testing, and refining a comprehensive plan, organizations can better navigate the challenges posed by cyber incidents and emerge stronger and more resilient in the face of future threats.

SQ Insight: Kenneth Holley - Chairman

China Says U.S. Should ‘Stop Suppressing’ Foreign Companies As McCarthy Vows Progress On TikTok Ban

Forbes

Discord between the US and China, over the social media app TikTok, continued this month as TikTok CEO, Shou Zi Chew, testified before Congress. At the heart of the matter lies the Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act. This legislation would empower the United States government to prevent certain foreign governments from exploiting technology services operating in the United States in a way that poses risks to Americans’ sensitive data and our national security. 

Chinese officials have called on the US to respect fair competition and stop suppressing foreign companies, while lawmakers in the US are pushing for legislation to ban the app due to concerns over Chinese government access to user data and potential interference in future elections.

TikTok's Project Texas proposal was highlighted, which some argue does not go far enough to address control of the app's algorithm. Critics contend the app's algorithm could be used by the Chinese government to push propaganda and manipulate users' perceptions of reality. Shou Zi Chew insistently defended the platform, claiming the app does not allow foreign entities to access US user data.

One of the most common threads heard in the chamber was the importance of social media platforms in shaping public opinion and the potential for these platforms to be used for propaganda purposes. Another common argument was the potentially harmful influence these apps might have on younger generations. The debate underscores the need for greater education, transparency, and accountability in how social media companies operate and how they protect user data.

The back and forth continued well after the testimony, as Missouri Senator Josh Hawley attempted to force a Senate vote on a bill that would ban TikTok from operating in the United States - citing concerns over the Chinese government's potential access to data from American users. However, his efforts were blocked by fellow Republican Senator Rand Paul, who argued that such a ban would violate the Constitution and anger TikTok's millions of users. Other lawmakers have proposed broader legislation to give the Commerce Department power to review and restrict foreign threats to technology platforms or to create a new framework for the executive branch to block any foreign apps deemed hostile.

Despite bipartisan desires, finding agreement on an unprecedented effort to ban or scale back apps that are used by millions of Americans will be challenging.

SQ Insight: Adam Brewer – Chief Executive Officer

The FBI’s Annual Cybercrime Report

Silent Quadrant

The FBI's 2022 Internet Crime Report revealed a staggering $10.2 billion in cybercrime losses, a significant increase from $6.9 billion in 2021. Despite fewer complaints, financial damage increased by nearly 50%. Top threats included phishing, business email compromise (BEC), investment fraud, ransomware, and call-center fraud.

Phishing remained the most reported complaint, with BEC scams accounting for $2.7 billion in losses. Investment fraud emerged as the most financially damaging threat, with losses increasing by 127% to $3.31 billion in 2022. Crypto-investment scams played a significant role in this surge. Ransomware continued to pose a substantial threat, with reported losses reaching $34.3 million, albeit a decrease from $49.2 million in 2021. Call-center fraud accounted for over $1 billion in losses, with nearly half of the victims over 60.

Technology alone cannot solve the cybersecurity dilemma, as the human element plays a crucial role in cyber breaches. The Verizon Data Breach Incident Report 2022 states that 82% of the cyber violations involved a human element, while the World Economic Forum reports that 95% of cybersecurity incidents are traceable to human error. Seniors are particularly vulnerable, with victims over 60 reporting $3.1 billion in losses.

For businesses, the growing prevalence of phishing and BEC highlights that email threat protection is not foolproof, and the human firewall remains the first and last line of defense. Organizations must approach cybersecurity as an enterprise issue and build a strong cybersecurity culture to reduce risk, improve resilience, and avoid becoming a statistic in future FBI reports.

SQ Insight: Tony Ogden – President, GRC