Asia Pacific Infrastructure

Being unprepared for a cyber attack has a heavy price tag

0
Cyber Crime

There is a number that does not appear in most cyber insurance conversations. It sits inside the claims data and it has nothing to do with the sophistication of the attack or the scale of the organisation affected. It is simply what a ransomware incident costs the average business before anyone has measured what it does to its reputation, says Dwayne Alexander.

That number is NZ$173,000 which covers legal costs, forensic investigation and the mechanics of notifying affected stakeholders. A prepared organisation can reduce that cost significantly. An unprepared one simply absorbs it.

That number does not include what happens next. The clients who quietly leave, the contracts that stall, the referrals that stop coming, the brand that spends the following 12 months rebuilding

Business email compromise is the most common incident type — a convincing email, a misdirected payment, $35,000 gone. It rarely makes headlines. But for a law firm, an accounting practice or a Not-For-Profit protecting donor funds, it does not need to. 

Who gets hit

The assumption that sector or size provides protection is one of the more expensive beliefs in the New Zealand business landscape. The QBE and Atmos Insurance data does not support it.

  • Financial services accounts for 18.8 percent of all cyber incidents in the dataset.
  • Professional services — the law firms, accountants, consultants and advisory practices that hold some of the most sensitive commercial and personal information in the economy -_ accounts for a further 17.5 percent. 

Together, those two sectors represent more than a third of all claims. Importantly, many of these are also highly sophisticated organisations, with strong governance, mature cyber controls and a more advanced risk posture than most. 

The volume of claims is not a reflection of neglect, but of exposure. When you hold critical data, the impact — and the attractiveness to threat actors — increases, even when strong controls are in place.

The professional services figure is the more striking of the two. These are businesses whose primary asset is not technology infrastructure but intellectual capital and client trust. 

The irony is sharp: a breach compromises exactly what the business has spent years building. A law firm’s reputation for confidentiality. An accounting practice’s standing as the guardian of financial information. A fund manager’s credibility as a trusted steward of client wealth.

Not-for-profit organisations occupy a distinct position in this risk landscape. They do not feature as a named category in the QBE dataset, but their exposure is real and, in some respects, more acute than their commercial counterparts. 

NFPs are typically underinsured, carry minimal internal crisis response capability, and hold a trust relationship with donors, beneficiaries and the public that is harder to rebuild than a commercial client relationship. 

A cyber incident that would bruise a listed company can be terminal for a community organisation. That is not alarmism. It is a practical observation about where the sector sits when a crisis arrives.

Human problem at the centre of breach

Social engineering accounts for 35.7 percent of all root causes in the QBE & Atmos dataset.

That is the single most important number in this article, and it is not a cybersecurity statistic. It is a communications statistic.

Every breach that begins with social engineering began because a person was persuaded — by a message, a voice, or an interaction — to do something they would not otherwise have done. 

The message looked legitimate. The request seemed reasonable. The sender appeared to be someone they trusted. No firewall stops that. No IT upgrade prevents it. The vulnerability was human and the exploit was communicative.

You cannot patch a person. But you can prepare them, and you can prepare what you say when the preparation fails. This is the argument that crisis communications professionals have been making to boards and leadership teams for years, with limited success.

The data from QBE & Atmos makes it more plainly than any case study can. More than a third of breaches began not with a technical failure but with a conversation. With a click. With a response to what looked, entirely reasonably, like a legitimate request.

The communications function is not the last line of defence in a cyber incident. It is present at every stage: in the culture that either does or does not take a suspicious email seriously; in the response that either does or does not notify affected stakeholders promptly; in the public statement that either does or does not hold stakeholder confidence through recovery. Communications is not the clean-up crew. It is the infrastructure.

The 20 percent left on the table

Pre-incident preparation reduces the total cost of a cyber incident by about 20 percent. That is the most commercially actionable finding in the QBE & Atmos dataset, and it is also the least discussed.

On a NZ$173,000 ransomware event, 20 percent is $34,600 saved. On a $173,000 claim, that is the difference between an incident that damages the business and one that the business does not fully recover from. 

That gap is not closed by a better firewall. It is closed by preparation: by the decisions made before the incident happens, not during it.

Organisations which invest in documented response protocols, tested communication chains, pre-approved holding statements and nominated spokespeople with media training recover faster, spend less and retain more client and stakeholder trust than those who respond in real time without a plan. 

The data supports this. The case studies confirm it. And the organisations that have lived through a breach without preparation know it, often at considerable cost.

The 20 percent figure applies before reputational damage is counted. Once the downstream effects of poor stakeholder communication are factored in — client attrition, contract delays, coverage that frames the organisation as unprepared rather than unfortunate — the real cost of unpreparedness is considerably higher.

What good preparation looks like

The following is not an exhaustive checklist. It is a brief account of the five things that most organisations do not have in place and which make the greatest difference when a crisis arrives.

  1. A written crisis communications plan that has been tested in the last 12 months, not filed and forgotten. Most organisations have a document. Far fewer have a plan that has been stress-tested against a realistic scenario and confirmed to work with the people who are currently in the relevant roles.
  2. Pre-approved holding statements for the three most likely incident types: a data breach, a ransomware attack and executive-level misconduct. These do not need to be long. They need to exist, to be legally reviewed and accessible at 11pm on a Sunday when the incident is not waiting for business hours.
  3. A clear internal notification chain. Who knows first. Who decides what to say. Who says it, and to whom and in what order. Stakeholder communication that reaches the media before it reaches the affected clients is a predictable and avoidable failure. The sequence matters as much as the message.
  4. A designated external communications adviser who has been briefed in advance and holds a relationship with the organisation before hour three of an active incident. An adviser engaged for the first time mid-crisis is working with incomplete context while the situation is moving. That is an expensive way to commission communications support.
  5. A commitment to 24-hour response for affected stakeholders. The QBE & Atmos data on Business Email Compromise demonstrates clearly that trust erosion accelerates with every hour of silence. The organisations that communicate early, even when the information is incomplete, consistently outperform those that wait for certainty that never fully arrives.

These are the foundations. What follows is how you use them. None require a significant budget. They require a decision to prepare. The cost of making that decision is, on average, 20 percent of what it costs not to make a decision.

The crisis communicator’s 10-point playbook

  1. Contain first, communicate second – but not by much

Your first 20 minutes must be technical containment. Your first two hours must include stakeholder communication. These are not sequential decisions. They run in parallel. The organisation that goes silent for 12 hours while the technical team works is already in a communications crisis.

  1. Segment your stakeholders before you send a single message

Not everyone needs the same message at the same time. High-value clients get a personal call before any public statement. High-risk individuals – those whose data creates specific personal or legal exposure – get targeted guidance before the general announcement. The general audience gets a consistent, coordinated communication. Media gets a holding statement. These are four different messages, not one.

  1. Fill the information vacuum before others do

Silence does not reduce anxiety. It increases speculation. The bad actor in a breach is frequently more media-savvy and more available to journalists than the organisation being attacked. If you are not providing a narrative, someone else will. That someone else does not have your interests in mind.

  1. Lead with process, not conclusions

When you do not yet have complete information – and in the first 48 hours you almost certainly do not – communicate the process, not the findings. ‘Here is what we are doing, here is what we expect to know, and here is when we will update you again’ is more useful than silence and more credible than speculation.

  1. Pre-approved holding statements are not optional

The organisation that spends three hours drafting a first statement in the middle of an active incident is making every subsequent decision from a position of delay and distraction. Holding statements exist for exactly this reason. They need to be written, legally reviewed, and accessible before they are needed – not commissioned when they are urgently required.

  1. Legal compliance and stakeholder satisfaction are not the same thing

Meeting the 72-hour regulatory notification requirement is the floor, not the ceiling. Organisations that satisfy their legal obligations while failing to communicate with the people affected by the incident will find that the regulator is the least of their problems. Clients, media, and the public hold their own timeline, and it is shorter than the Privacy Act’s.

  1. Avoid the ‘closed barn door’ mistake

When you fix the vulnerability that was exploited, do not claim comprehensive security improvement. Closing a specific vulnerability is a technical achievement. It is not a security overhaul. Stakeholders and independent security commentators will test that claim, and if it does not hold, you have compounded the original incident with a credibility failure.

  1. The spokesperson is a decision, not an afterthought

Who speaks for the organisation in a crisis is one of the most consequential decisions leadership makes. That decision needs to be made in advance, the spokesperson needs to be trained, and they need to know what they are authorised to say and what sits outside their mandate. A spokesperson who does not know the boundaries of their brief will find those boundaries tested publicly.

  1. Update even when there is nothing new to report

Stakeholders who have been promised regular updates and do not receive them will assume the worst. ‘Our investigation is continuing, no adverse developments to report, next update at 3pm tomorrow’ is not a non-communication. It is a reassurance. It confirms that the organisation is still in control of the situation and has not forgotten the people waiting for information.

  1. Recovery is measured in months, not days

The first statement is not the end of crisis communications. It is the beginning of a recovery period that, for a significant breach, typically runs for six to 12 months. The organisation’s credibility during that period is built or lost in the quality of its ongoing communications – the updates, the accountability, the evidence of actual improvement, and the willingness to acknowledge what went wrong and demonstrate what has changed.

Better to be accountable than negligent

The organisations that recover well from a cyber incident are not lucky. They are prepared. The data knows the difference 

Ransomware accounts for 27.5 percent of all cyber incident types in the QBE and Atmos dataset. It is not the most common incident type. That distinction belongs to business email compromise – although ransomware is the most expensive and the most visible. 

Every ransomware incident produces a moment at which an organisation must decide what it says to its clients, its staff, its regulators and the media. That moment arrives whether the organisation is prepared for it or not.

Organisations that have made that decision in advance — that have a plan, a spokesperson, a set of pre-approved statements and an adviser already briefed on their business — spend less money, recover faster, and retain more of the goodwill they have spent years building.

The data quantifies the difference at about 20 percent. The case studies demonstrate what that 20 percent looks like in practice: clients who stay rather than leave, coverage that frames the organisation as accountable rather than negligent, regulatory interactions that are cooperative rather than adversarial.

The question is not whether your organisation will face a crisis. The data QBE & Atmos shared suggests it almost certainly will. The question is whether, when it does, you will already know what you are going to say.

The paper was presented by Dwayne Alexander, director and co-founder of Alexander PR, companycrisis.co.nz and legalpr.co.nz at a roadshow in Auckland and Queenstown. Other expert speakers and partners included Adam Smith – Microsoft Modern Work, Security and AI Lead, Dicker Data NZ; Chris Curran – Director, IT Live Wanaka and Trustee, RAD Community Trust; Ian Bennett – Teams, SharePoint and the Power Platform, CEO and Digital Workplace Guru, Custom365, Luke Irwin – ISSMP, CISSP, CISM, GCERT – Founder and Cybersecurity Strategist, Aegis Cyber Security and Miro Dordevich – Head of Portfolio for Cyber, QBE Insurance. The QBE & Atmos claims data referenced throughout this article was presented by Miro Dordevich at the Auckland session. 

dwayne.alexander@alexanderpr.co.nz

Share.