It’s almost impossible to turn a page, or more likely click a tab, when reading news and not see something related to cyber security these days.
Whether it’s an attack that has just occurred, or a brand updating the world on its progress after a breach, or CEOs taking mortars from across the twitosphere for inept responses, cyber attacks hit the front pages with alarming regularity, and the initial attack is always followed by stories charting a brand’s response to the crisis.
While this has been common practice in the US and more recently Europe over the past few years, Asia has recently entered the cyber security world in a massive and troubling way.
According to a report released by cyber security firm FireEye this month, organisations that it observes in Southeast Asia have a 45 percent higher risk of facing a cyber attack than the global average. In the first six months of 2015, that figure was 7 percent.
As Patrick Neighorn (pictured), FireEye’s APAC communications manager, simply states: "Based on targeted attacks against the organisations FireEye observes, Asia is the most attacked region in the world."
Furthermore, and contrary to popular belief, it is not just the obvious sectors – finance and technology – being targeted. FireEye said the entertainment, media and hospitality markets are among the most attacked.
The more cases occurring, the more brands need to formulate their responses, both before and after a breach. To that end, PR agencies in Asia-Pacific say the figures reflect their workloads.
"We’ve certainly seen a strong increase in the need for cyber security communications over the past 12 months across all our markets," says Deborah Hayden, regional director of Edelman APACMEA’s capital markets and M&A practice.
"While there will always be an immediate communication need following a data security incident, the growing trend is for corporations to prepare themselves before the breach occurs."
However, in a region where there is little will or legal imperative to communicate when a cyber attack occurs, that trend is taking much longer than it should to catch on.
Don’t ask, don’t tell
The first issue that agencies come across is the continuing lack of sophistication in most Asian companies when it comes to identifying a cyber security breach, let alone communicating about one.
"In most cases companies in the region don’t even know they’ve been attacked," says Charles Lankester, senior vice president of reputation management at Ruder Finn Asia.
"Cyber breaches tend not to be ‘smash, grab, alarm bells ringing’. They often take place stealthily, over long periods, with the attacked company being unaware."
Plenty of examples across Asia support this. In January 2014, an IT contractor working for the Korean Credit Bureau swiped the data of 20 million people over 18 months.
An organisation labelled ATP30, thought to be from China, conducted a decade-long campaign on businesses, governments and media outlets before being discovered.
Neighorn says: "Most organisations in Asia aren’t able to detect advanced attacks or intruders within their networks.
"If they do, many don’t do anything to kick out the intruder or prevent new ones, let alone disclose the incident. A lot of these issues don’t make it to the communications team."
Allied to this is a weak regulatory landscape in terms of having to report breaches, says Brian West (pictured), FleishmanHillard’s global managing director of crisis management.
"There is no mandatory data breach reporting legislation or regulations in Asian countries, unlike in the US and increasingly so in Europe," he explains. "So many companies seek to avoid the public embarrassment of admitting they have been breached."
A cursory glance at the headlines following a cyber attack may be enough for CEOs to avoid public declaration of a breach, and the importance of saving face and reputation in Asia are difficult cultural ideologies to shift.
"We need to stop the shaming of victims of advanced cyber attacks," Neighorn states. "Breaches are inevitable," and scaring firms into silence is only detrimental to any defence.
Hayden says agencies are educating Asian brands on the connection between their consumer data and reputation, and the subsequent risks around not communicating on cyber attacks.
"How a brand treats consumer data is now part of the brand promise and risk profile, creating trust issues for brands or corporations that expose their customers to risk," she says.
Not being required to disclose cyber breaches is also bad for business, Neighorn says, because it can undermine investor confidence in a brand’s security if they never have to talk about it.
Moreover, the more brands communicate publicly, the better it is for future prevention.
"Breach notification requirements help improve our collective security, and Asian markets are moving in this direction," Neighorn says.
"When brands disclose a successful attack and the techniques behind it, they help other organisations defend against it. Sharing intelligence is one of the best defensive tools we have."
The landscape is slowly changing, particularly with increasing numbers of foreign multinationals bringing their crisis comms response programmes with them from their home jurisdictions, where breaches must be reported and a PR strategy is essential.
West says: "Those headquartered out of the US and Europe now have the benefits of early disclosure of a breach ingrained in their culture, and they bring that approach to Asia."
However, it isn’t all plain sailing, says Lankester, with several factors influencing how effectively a global company’s comms programme, however robust, is applied in Asia.
"Technically these [programmes] should be available in Asia but often implementation is a bit hit and miss," he says. "And entirely driven by how much the Asia, or country, CEO cares, is interested or can be bothered.
"My view? The vast majority of Asia-Pacific domestic corporations are way behind on comms planning and preparation. There will be some big shocks in 2016."
One size does not fit all
The core comms principles when a company suffers a cyber security breach follow something of a pattern. As Marc Ha (pictured), vice president and managing director of Text 100, says: brands agencies must listen, assess, prepare, engage and update both stakeholders and the wider public.
"We are seeing companies taking a consistent approach in term of cyber security comms – starting with proactive disclosures, then ongoing updates on fixes and resolutions, followed by longer-term market education to mitigate customers’ personal exposure."
However, while the stages of a comms response may be formulaic, putting them into practice is anything but, and the pitfalls of getting the PR strategy even slightly wrong can be huge.
The biggest question is almost always timing; when to go public about a cyber attack. While the natural instinct may be to gather all the facts before making a media statement, West says that can be a big misnomer.
"If you wait until you know everything, you will say nothing," he says. "Companies have to communicate quickly and keep the communication going two-way. Be authentic in the communication; talk about solutions."
When Sony’s Playstation network was hacked in 2011, it was widely condemned for delays in revealing the scope of the intrusion. Conversely, Australian telco Telstra was recently praised for the speed with which it announced that its subsidiary Pacnet was breached.
Brands can do a certain amount of prep work before going public because the immediate questions are to some extent predictable, says Lankester.
"There should be clear planning in place and then the means to quickly answer questions such as: are you still under attack; are you subject to any random demands; and what actions should consumers be taking now?" he says.
"There will also be great interest in your preparedness."
The benefits of early public engagement are clear to see. And yet, on the flipside for agencies advising on cyber breach PR, communicating immediately can also present significant dangers for a brand.
Hayden at Edelman says: "Going out with information too early can ultimately hurt an organisation in a data breach.
"Remember that facts are very fluid when responding to a data security incident, and telling too much too soon can lead to inaccurate dissemination of information, compromise of more data, and further reputational damage by breaking trust again."
A clear recent example of this is the fallout from the hacking of UK telecoms provider TalkTalk. The company announced the breach immediately, but its CEO was subsequently lambasted for giving out confusing and conflicting information.
Moreover, the longer a company waits to disclose, the more likely a leak is to occur, at which point the brand and its comms agency lose control of the narrative and are left wide open to reputational damage.
It is therefore crucial, Neighorn at FireEye says, to have and a proper investigation of the breach carried out and the facts from it transmitted clearly to the comms team and then the public.
"Communications teams need to ask incident response teams tough questions if they want to maintain their credibility and avoid creating bigger problems for their organisations," he says.
Even if a company is required to remain silent because it is under investigation by the law, West says brand must "still prepare for the day when the breach becomes public, either via a leak or law enforcement".
Losing some control is inevitable
Even with meticulous planning and a coherent comms strategy, there is only so much you can control regarding the public and media response to a cyber attack.
While brands in Asia remain mostly reticent to disclose cyber breaches, observers say many are changing their policies in the face of social media, and realising that if they do not interact genuinely with their engaged, tech-savvy consumers, they can be put to the proverbial sword online in a matter of hours.
"The speed of risk has become 140 characters or less," explains Hayden. "Facts are negotiable, and the risk of not controlling the narrative and leaving a void for others to fill is greater than ever.
"Unfortunately, there are no safe havens from digitally empowered agendas or social exposure. More Asian companies are going to need to be more proactive in disclosing."
West says there are the comms trends developing in APAC over disclosing cyber attacks are possibly doing so quicker because of the sheer volume of breaches occurring across the region growing day by day.
The media is increasing focus on the time gap between discovery and notification; there is a strong belief in public entitlement to more details; scrutiny of data retention has grown; and more experts are being asked to publicly a brand’s response and whether it was adequate.
What’s more, the threat of consumer digital activism is only part of the problem for brands. Many of the hackers themselves now publicise when they’ve completed a breach, which is another factor for PR agencies to consider when advising brands on how and when to disclose.
Neighorn says: "Word of [hackers’] exploits can spread quickly on social media. These politically-motivated attacks have grown increasingly disruptive, in part because they want to be noticed, so their activities are easily covered by media."
As such, social media must be a key component of a brand’s comms strategy in a breach.
Companies must have comprehensive social listening tools working round the clock so they can respond immediately to any developments and ensure a consistent message is delivered across all stakeholder groups.
But it should not all be one-way fire-fighting for brands on the internet, says West.
"Importantly, brands needs to treat social media as both a threat and an opportunity to communicate direct, in real-time and unfiltered with their stakeholders."
It is this that all crisis comms experts say should be at the heart of coming clean about a cyber attack: authenticity. While the headlines suggest otherwise, consumers all over, including Asia, are aware that cyber attacks are increasingly a matter of when, not if.
When a PR strategy around announcing a breach is handled well, brands are often viewed more as victims, and this is achieved by remembering who the intrusion has affected and speaking to their needs.
Hayden says: "Throughout all of the communications efforts the affected party – whether they are consumers or employees – should be your north star."
Indeed, says Lankester (pictured), at Ruder Finn, consumers realise that it is not the brand that has broken the law.
"Where they are unsympathetic is where there is evidence that management did not invest suitable time, attention or money in keeping their data as secure as possible."
For brands in Asia-Pacific, these myriad communications issues are an increasing statistical reality as the region suffers evermore from cyber security threats.
The days of keeping tight-lipped and hoping no one will find out are well and truly over.