Asian brands continue to make slow progress in cybersecurity crisis planning, due to the lack of awareness about the issue and continued mistakes around how to respond, according to Vitor De Souza, vice president of global communications at security-software provider FireEye.
De Souza said that in almost every case of a cybersecurity breach that FireEye has been involved with in Asia, “in terms of communications planning, they did not have any at all”.
“They would have what they would call a ‘business continuity plan’, which is totally different," he said. "It has nothing to do with crisis.”
Coupled with this lack of preparation is a tendency in Asia to cling rigidly to company hierarchy in a crisis, which can be a big mistake if the person handling the crisis is not the most knowledgeable about the situation.
“In Asia, company hierarchy is very important,” De Souza told Campaign Asia-Pacific. “What I see a lot is that there’s this immediate push toward the chairman or CEO to handle the crisis. But the education of the C-Suite in Asia regarding cybersecurity, just in terms of awareness, is not at the same level as other regions.”
Brand reputation can be severely damaged if a top-level executive is put before the media without sufficient knowledge of the crisis, and it is up to the communications team to ensure that does not happen, said De Souza.
“I wouldn’t necessarily say it’s the response from the CEOs that causes an issue,” he explained. “It’s more about the lack of preparation. Culturally, you can decide it must be the CEO, which is absolutely fine and something most companies would want to do. But then you need to prepare them; you can’t just expect them to talk.
“Comparing globally, Asia is behind on best practices. The maturity is lower here, and the crisis plans just aren’t there.”
De Souza said that in a cyber crisis, unprepared communications teams can often add to a brand’s problems by just reverting to their regular spokesperson, who again may not be the best person for the situation.
“If you don’t do the right preparation, or you don’t know the scenario you’re dealing with, and you just send out the media-relations person, you’re not responding to the problem,” he said.
Despite ongoing issues, De Souza said that the situation is improving, particularly since the high-profile cybersecurity breach at toy company VTech in Hong Kong in December 2015.
Since that crisis, more Asian brands are aware of the threat of cybersecurity and are disclosing breaches.
“Companies in Asia know it’s coming, they’ve seen how other countries have progressed, so they’re now trying to prepare ahead of it in case they’re the first company that has to deal with it,” De Souza said. “I’ve seen improvements in just the last six months. Asian companies are doing much better with C-Suite preparation, but step one is build a response team and prepare properly.”