This article was published in: Cyber Security: A Peer-Reviewed Journal, Volume 4, Issue 4.
Abstract
The paper examines the impact of stakeholders during cyber crises and how failing to engage with them can quickly escalate a crisis into a reputation train wreck. While organisations must focus their efforts on preventing and mitigating cyberattacks, it is not always possible to fix the problems when they occur and in some cases it may take weeks or months before the issue is resolved. If the affected organisation does not own up and communicate quickly with its stakeholders, this communication vacuum period can seriously erode stakeholder confidence and ultimately destroy the organisation’s reputation. Using the famous ‘The Good, the Bad and the Ugly’ film metaphor, the author delves into three recent cyber crisis examples to define what was done well, which was a badly handled case, and which was a truly ugly one to draw best-practice lessons. Recognising that stakeholders are at the core of our organisations’ echo system is a good place to start. By identifying and mapping them in order of importance, degree of influence and threat level, the organisation can develop engagement strategies that are designed to yield measurable results.
Furthermore, the stakeholder mapping process helps uncover opportunities as well as worst-case scenarios that can be prepared for and help weather the storm. Ultimately, stakeholder outrage can drive crises into reputation meltdowns and the ability to communicate swiftly, transparently and credibly is the cornerstone of any effective crisis response strategy, but especially cyber ones where there are seldom quick fixes. The ability to retain stakeholder trust in the midst of adversity and chaos underpins the organisation’s capacity to protect its reputation and possibly emerge stronger on the other side.
INTRODUCTION
Everyone agrees: cyber breaches are inevitable and are increasing in scope and complexity.
Much has been written about cybercrime, its origin, motives, players, methods, victims, detection and prevention capability and of course its cost, whether human, operational, financial or reputational, among others. The 2017 NotPetya cyber strike is a notable case in point. According to the New York Times:
‘In just 24 hours, NotPetya wiped clean 10 percent of all computers in Ukraine, paralyzing networks at bank, gas stations, hospitals, airports, power companies and nearly every government agency…’
‘…The attack made its way to global clients, eventually entangling Mondelez and Merck, as well as Maersk and FedEx’s European subsidiary.’
Cyber criminals almost always seem to be ahead of the curve while law enforcement, regulators, institutions and businesses try to play catch-up.
‘The BakerHostetler 2019 Data Security Incident Response Report found it took 28 days on average to complete a forensics investigation…’
QUICK OWNERSHIP AND COMMUNICATION ARE CRITICAL
Therefore, quickly communicating about the incident is almost as important as managing the incident itself. The ability to retain stakeholder trust is the differentiating factor between a crisis and a reputation train wreck.
‘The Twitter accounts of major companies and individuals were compromised… promoting a bitcoin scam.’
Twitter communicated quickly and continued to post regular updates, including statements from leadership expressing accountability and transparency.
THE POTENTIAL FOR STAKEHOLDER OUTRAGE IN RESPONSE TO ANY INCIDENT MUST BE RECOGNISED
Globalisation and increasing interdependence are generating multiple levels of stakeholders that become increasingly difficult to manage in a crisis. Organisations must now engage with a wide range of groups, including those amplified through social media.
Statistics show that many crises are “smouldering,” meaning they exist long before becoming public, often due to inaction or concealment.
‘Cyber-attacks, data breaches and IT outages remain top threats… with significant impact on operations and reputations.’
‘Just one compromised account can give hackers access to years of personal and financial data…’
STAKEHOLDER MAPPING CAN HELP PREVENT A REPUTATION MELTDOWN
All crises share one common factor: stakeholder pressure. Understanding and mapping stakeholders is essential to anticipate and mitigate crisis impact.
Stakeholder mapping involves identifying all relevant groups and categorising them based on influence and interest.
‘Stakeholder mapping identifies expectations and power and helps understand priorities…’
The ability to empathise with different stakeholder perspectives is one of the most critical leadership skills during a crisis.
During crises, stakeholder maps must be continuously updated as situations evolve.
THE GOOD — NORSK HYDRO
Norsk Hydro became the victim of a cyberattack in March 2019. The company responded quickly, switching to manual operations and refusing to pay ransom.
They restored operations progressively and communicated transparently with stakeholders.
After three days: 60% operations restored
After three weeks: production near normal
After one month: reporting delayed due to impact
The company’s transparent communication and proactive stakeholder engagement were widely praised.
‘Their response is being described as the gold standard… completely open and transparent.’
THE BAD — MARRIOTT
Marriott disclosed a major data breach affecting hundreds of millions of customers. However, its communication lacked empathy and timeliness.
‘Words missing from the statement: sorry, apologise, your data…’
Delayed communication and lack of transparency led to stakeholder frustration and erosion of trust.
THE UGLY — CATHAY PACIFIC AIRWAYS
Cathay Pacific confirmed a breach affecting millions of passengers but delayed disclosure for months.
This delay significantly damaged trust and led to regulatory investigations and criticism.
‘A catalogue of errors’ including poor security practices was later uncovered.
