cyber Tuesday option 3So here’s an academic question. Would it bother you if your secret sexual fantasies were revealed to the world?  Would it be troubling if you were married and it appeared that those fantasies did not include your spouse?  How about if you were engaging in acting out your fantasies, and the information made public included your name, address, and matching credit card transactions?  Behold the plight of the customers of Ashley Madison, an online dating site catering to married individuals seeking to have an affair. Data stolen from the site is now appearing online, likely causing sleepless nights for many of the 37 million customers Ashley Madison claims to serve.

The titillating details of the Ashley Madison breach aside, there is a lesson in cybersecurity to be learned from this incident.  In reporting on the breach, CNN Money notes the site “has in the past bragged about its data security.”  Bragging about data security in any way, shape or form is a seriously bad idea. Among the universe of cyber threat actors there are those who seem to take particular delight in responding to a challenge. So if a company appears to suggest that it is virtually impregnable, it immediately marks itself as a more valuable target.

From a communications perspective, proactively discussing cybersecurity provides a bit of a quandary. It is necessary and useful to provide stakeholders with assurance that the company understands the risk posed by cyber threats, and is working assiduously to protect the critical information it holds.  However, that message must be delivered in a manner which at some level acknowledges that no company can offer assurance that it is impervious to being breached.  We do not lack for examples of major companies that have been compromised through data breaches.  People may understand that breaches will occur, but they do want assurance that companies in which they invest, or with which they do business, take seriously their responsibility to reduce their vulnerability to cyber attack.

In the cyber communications guide to the universe, you’ll find this approach filed under advice that was uttered by Walter Brennan when discussing how fast he was with a gun … “No brag. Just fact.”

____________________

By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

July 21, 2015