×

Firms hit by cybercrime are lacking clear communications plans

182058709
boschettophotography | Getty Images

A survey has found a concerning number of companies lack a clear plan on how to communicate with the public in the event of an attack on their cybersecurity.

While 50 percent, of the 1,735 organizations surveyed for EY's annual Global Information Security report, said they were confident they could detect an attack (the highest level of confidence since 2013), the survey also found 42 percent of respondents do not have an agreed communications strategy or plan in place if an attack happened.


Adding to this, 48 percent said they would not notify customers who had been impacted within the first week.

Paul van Kessel, EY global cybersecurity lead, said this delay would be due to the lack of a strategic response plan.

"It's imperative to address if any weaknesses or failures in the recovery plans become known, because the longer these problems continue, the worse the situation will get. In fact, many of the proposed regulations or laws around reporting of cyber attacks say that companies must notify customers within a certain number of days," he told CNBC via email.

"What complicates the matter is that many cyber attacks are not discovered for months, or sometimes years. And in cases where law enforcement is involved, they may request that companies do not notify customers while their investigations continue. These are some of the most significant challenges that companies face when deciding what, how and when to communicate."

This lack of disclosure may still come as a concern to shareholders or customers. On the other hand, new regulations such as the European Union's General Data Protection Regulation, which comes into force in May 2018, will force companies to report on security breaches more quickly.

"Breach reporting requirements will be significantly increased and more onerous in a world where the GDPR is enforceable," Ryan Rubin, managing director at global consultant Protiviti, told CNBC via email.

"In a climate where there is a high likelihood of data beaches occurring - which are often unavoidable, it is surprising that many have not put in sufficient planning to manage communications post breach. As we have seen in the past, how companies respond to data breach events will be judged equally or higher than the breach event itself."

However, if organizations can avoid being attacked in the first place, they may not need to disclose anything. Van Kessel shares some tips on how they may improve their security.

"Organizations should use cyber threat intelligence and 'active defense' to predict what threats or attacks are heading in their direction and detect them when they do, before the attack is successful. Second, they should upgrade their resistance," he said.

"Last, but not least, companies must improve the ways they react. If companies don't see the threat coming… companies need to react to limit the impact of the attack and get back to business as usual as soon as possible."

Follow CNBC International on Twitter and Facebook.