Cyber Crisis Simulator: Weathering the storm: public vs private crises

You can’t always anticipate a data breach. What do you do when the unexpected happens at a high-security organization? What if national secrets are now in the hands of your adversaries?

It’s inevitable that a business will face some sort of crisis at some stage; an event that catches out even the best-prepared organizations. As the FireEye incident proved, even with the most secure systems and hygienic infrastructure, if a thought-to-be-trusted third party program turns out to be vulnerable, security is taken out of your hands. It’s therefore critical that all organizations, however big or small, and whether private or public, practice their incident response skills in order to weather the storm.

But what’s the difference between weathering a crisis as a public sector organization versus a private corporation? Does the decision-making process change? Where do your strategic and operational priorities lie? How is blame apportioned? Well, regardless of sector, similar skills and responses apply.

The key distinction between a public institution and a private business is the stakeholders. Although of course nuanced, as a generalization, public sector organizations, such as local councils, must report to the public. With no customers per se, and government regulation, it’s the taxpayers and local population that will hold them accountable if something goes wrong. Meanwhile, private corporations, such as banks or retail stores, are more likely to have shareholders and customers, which determine stock price or market value. So does this change the way businesses make decisions when it comes to a crisis?

Regulations

Having disparate stakeholders means companies must adhere to different regulations. But to a certain degree, both types of organization are still held to account by the government and public perception. A private business might not have a duty of care to release company information, yet there are still regulations and formalities to follow. Say a private bank gets hit by a cyberattack. Publicly, it may not disclose the extent of the attack, but it may still have to report the event to a regulator.

A government-led institution, on the other hand, may have to put more activity on record. Its hand is already played; information on breaches and security attacks must be fessed up. Take the recent Solarwinds hack on the National Security Agency (NSA) as an example. After an investigation revealed the vulnerability had allowed an attacker into the systems, the Government advised the NSA – a public body – to switch off the power to its program, and it had to comply. The crux of the matter is that we hold public institutions to a higher standard and want to know what they’re up to – after all, it’s taxpayers’ money they’re spending.

Customers

These different regulations and stakeholders put different pressures on public and private companies, therefore forming subtle differences in the way they react to crises. Firstly, the largest pressure on profit-seeking businesses is losing customers, and ultimately shareholder value. Comparitech reported in 2019 that share prices fall by an average of 7.27% in the 14 days after a breach occurs. In the long term, companies can be down on the National Association of Securities Dealers Automated Quotations (NASDAQ) exchange by 13.27% three years after the breach. Unsurprisingly, it also notes that breaches leaking highly sensitive information like credit card and social security numbers see larger drops in share price performance on average than companies that leak less sensitive information. Imagine an energy supplier suffers a cybersecurity breach, with huge amounts of customer data stolen. Customers may switch service providers to a rival company. If this happens on a large scale, it could mean a catastrophic worst case scenario for the business, causing an irreparable financial headache.

Communications

While a public sector organization wouldn’t have the pressure of losing customers in the same way, there is an expectation for it to communicate more with its consumers. This provides a grounding for its reputation, and a positive public perception is ultimately what allows these public bodies to function – they can’t work without a certain degree of public trust in their institution.

For private corporations such as the aforementioned energy company, the best way to counteract the pressure of losing customers is with a transparent communications strategy. Despite not having the duty to divulge company information, private companies too will benefit from honest and coherent comms in a way that they wouldn’t have in the past.  Events like cyber crises can’t be swept under the carpet the way they could 10 or 20 years ago due to the rise of the internet, digital news reporting and social media. But there’s a sticking point here. Private businesses have the precarious position of deciding what needs to be revealed to stand in good stead versus what can be held behind closed doors – legally, ethically, and from the point of view of keeping shareholders and customers happy. It’s always good to be honest, but in a way that doesn’t compromise your work or deter crucial business.

Blame 

Blame is another factor that might change the way private companies and public sector organizations respond to crises. If something goes wrong at a public institution at a national level, some of the onus will fall on the rule-enforcing government.

For example, in the UK, the Environmental Agency and the government have both been blamed for the lack of flood management resources available. In 2019 they were criticized for their poor standards; they sent texts to homeowners in the North of England telling them not to put sandbags down for their houses would not be affected – only after many homes had already flooded. Stateside, the Federal Emergency Management Agency (FEMA) received similar blame for its role in Hurricane Katrina. Blame was apportioned on FEMA and the government’s inability to manage the situation due to the failure of countless evacuation plans, redistribution of service providers and caregivers, and tardy indecision. The heavy regulations on the organization almost acted as a scapegoat for some of the blame, with poor management and governmental rules in place meaning emergency response plans were prevented from going ahead. A private company would not be subject to the same regulations, so perhaps more blame is attributed to a private business in the event of a crisis. Dive a little deeper, however, and the lines can become even more blurred.

During the coronavirus pandemic of 2020, headlines hit about the private food distribution company Chartwells, hired by the UK government to send food packages to help struggling families in the UK. Upon doing a less than adequate job the company received much of the blame – but the government was made accountable too. Even as a private company, there may be times when it represents the government, meaning further pressures and regulations apply.

Regardless of their nature, all companies must exercise their skills in weathering crises, and as we’ve proved, the decisions that must be made aren’t always polar. There are some similarities in how incidents can unfold in terms of government accountability or communicating honesty. Private businesses need not respond one way and public bodies another; rather, the human skills of being prepared and capable in a time of crisis are universal.

The best way to test these vital skills is with Immersive Labs’ Crisis Simulator. In our latest sim, Supply Chain Compromise: Blind Administration, you play a leadership role at Cybersecurity Command and must focus your decisions on the potential political, diplomatic, reputational and security impacts on your company as you navigate the loss of nationally important secrets. Practicing responses to an incident such as this will help build muscle memory, allowing teams across all organizations to perform more efficiently in the instance of a real crisis.

If you’re ready to equip your team in the art of decision making and crisis response, book a demo with one of our experts today.

TOPICS
Blog
Cyber Crisis Sim
PUBLISHED

27 January 2021

We help businesses to increase and evidence human capability in every part of cybersecurity.