Speaker 1: Welcome to the cyber risk management podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cybersecurity council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Hey Jake, today, we're going to learn more about the effects of cyber attacks on corporate reputation and consumer confidence. And we're going to do that with the help of our friend and public relations expert, Casey Boggs, who joins us as a guest today. And Casey's the President of Reputation Us, which is based in Portland, Oregon, and he was a guest back on our October 1st, 2019 episode. And so Casey, welcome back to the podcast.

Casey Boggs: Well, thank you gentlemen. Thanks for having me back. Appreciate it.

Jake Bernstein: And Casey, I was on vacation the first time you were a guest, so I'm glad to be speaking with you now.

Casey Boggs: Great. Yeah, I wish I was on vacation, but we're here taking care of these malicious actors. So until then we're going to be talking about it. So thank you, Jake. Appreciate it.

Jake Bernstein: Yeah. And I have to ask is your company's name pronounced Reputation Us or Reputation U S, or is that kind of intentional that it could be either.

Casey Boggs: It's a good point, actually, there's even more to it, but the Reputation Us is all inclusive that we are representing companies. It's a collective effort here. Rep Us is the shorter pronunciation for the company and it's really representing companies. And so it's a larger discussion, but the whole idea is reputation's an important part of corporations now more than ever, but it's a collective effort than just simply a community effort. It's an all encompassing, all department issue then. We're here to help on enhancing reputations and protecting reputations.

Jake Bernstein: Excellent. Well, thank you very much for that. So you guys recently a cybersecurity and reputation survey. Can you go ahead and give us an overview of, kind of what you did, what that means and how it turned out?

Casey Boggs: Sure, my pleasure. So our firm, in addition to DHM research, which DHM research is based here in Portland as well, and they usually do political survey surveys and bipartisan surveys on public opinion. And so every month they look to different areas as far as things that are on top of people's mind. And one of them was a combination of reputation and cybersecurity. We proposed this survey with the DHM and coincidentally it was during cybersecurity awareness month, which is back in October, as you gentlemen, probably both know, and really looked and examined the effects of cyber attacks on consumer confidence and really corporate reputation. And the study really was conducted back in September, but the results came out in October and we surveyed 562 adults in Oregon. And those are the participants because of the confines that DHM had. And we wanted to make sure we kept it within a state for measurement purposes, but it was a pretty good pool of people and some really good intriguing insights.

Kip Boyle: So Casey, before we start understanding the results and the implications, I was curious to find out why would you conduct the survey now? Was it because you were focused on cybersecurity awareness month? Or was there something else driving this?

Casey Boggs: Yeah. There's no denying right now that cybersecurity is an imminent risk to corporations and disruption to businesses continuity. There's a really potential large ramifications that businesses need to take serious and damage to reputation and really loss of consumer confidence and trying to capture their best interests is one of our number one priorities here to find out really what's going on. And so combining and bridging the two together was our ultimate goal.

Jake Bernstein: So Casey, I'm dying to hear the bottom line. What would you say were the key results or key takeaways from the survey?

Casey Boggs: Well, I'm glad you asked. We were anxious to find out ourselves and when we did receive it, one of the first things we saw that, out of those who participated 73% had personal information compromised, which I don't know about you gentlemen, but certainly it was a higher number than I would thought. It's a question we wanted to make sure that are we talking the right people or people are even affected by consumers or otherwise. And 73% is a vast majority of people certainly were affected.

Kip Boyle: They were qualified to answer the questions weren't they?

Casey Boggs: That's right. Exactly. And so the other part where we want to get into the thick here is it of, it's mostly a question of whose to blame? If there is a cyber attack, whose to blame? And here's where I think the biggest aha moment was that, of those participants, 54% said the hackers are to blame if a corporation gets hacked, while 46 per percent say the corporation is, so almost a 50-50 split.

Kip Boyle: How interesting. So this is kind of a blame the victim sort of a perspective that some people had, right?

Casey Boggs: That's correct. Yeah. And it's left to interpretation, but I would've thought, me personally, and this is just me jumping in here, but I would've thought, well, the hackers. They're the bad guys. They're the malicious actors out there.

Kip Boyle: Yeah.

Casey Boggs: They should be ridiculed and taken care of and taken out of society. But that's not the case. They're like, wait a second, corporations are just as much on the hook about this as anyone else is. And I wouldn't have said that maybe based of what I know and the world I live in within cybersecurity, but the consumers, which are ultimately the people on the street who are affected by it, they say otherwise. So I thought that was interesting dynamic.

Speaker 1: You know, it actually kind of makes sense to me because if you look at the terminology that we use around cyber, particularly cyber hygiene, cyber hygiene implies that there is a baseline level of risk that isn't, yes, there are humans involved and someone is at fault, but on a macro level, there is a baseline risk of infection if you will.

And if by saying that, this actually in some ways gives me a hope that people are starting to figure this out. Yeah, you could blame the hackers. But if you look at the existence of hackers as no different than germs exist then what you really have to do is, whose fault is it if you get sick? You're going to blame the germ, or are you going to blame yourself for not washing your hands, not getting a flu shot, et cetera, et cetera.

So I think this makes good sense. And, honestly, as counterintuitive as it may seem, I would like to see the percentage blaming the quote victim to get higher, because I think that they are the ones responsible for keeping themselves clean and safe. And if we shift the blame to the actors, then I think that, we can't control the actors at all right?

Casey Boggs: Right.

Jake Bernstein: So we really should focus on what we can control. And in this case, it is the corporations being hacked.

Kip Boyle: I'm going to throw a counterpoint in there just for a second. I'm seeing a lot of shame among companies that are being successfully cyber attacked and because, and I think they're feeling shamed because they, they don't want to be blamed for being a victim. But I think one of the practical and bad consequences of that is they're not reporting what's happening to them so we don't have visibility into what's going on. And so from a law enforcement, crime fighting perspective, there's so much going on out there that we don't have visibility into. And I think the consequence, another consequence of that is this whole thing about what cyber attackers are doing to our economy, I think is wildly under reported in the media.

Casey Boggs: Yes.

Kip Boyle: And I think part of it is because people are being silent when they are victimized. And I personally think that, in the past an individual might get blamed if they were robbed or mugged or raped or something like that, it was a shame thing. And I think as a society, we've evolved past that. And we realized that just because you're a victim of a crime, a violent crime doesn't mean you were asking for it, doesn't mean that, that you are really to blame. I think perhaps because you're talking about corporations that are well resourced that changes the calculus a little and I'm okay allowing for that, but just this whole shame, this whole atmosphere of shame I think is counterproductive.

Casey Boggs: Right.

Jake Bernstein: So I think that's a really interesting discussion point because I think the shame aspect is counterproductive, except there's a lot of companies that need to feel that shame because they're doing nothing crosstalk

Kip Boyle: But it's private shame because they're not telling anybody, so it doesn't have the corrective effect that public shame would.

Jake Bernstein: Well. And so I think that works up until the point when you need to call Reputation Us. Right? Because what happens is there are, you're absolutely right, there are a lot of unreported cyber attacks, but at the same time the most publicized variation is of course, a data breach. And I'm guessing that is when Reputation Us comes into play. And when you've got major consumer confidence issues, but kind of going back to your core point there is, that I think what I was trying to say was we have to draw a distinction between kind of meet space crime, where we victim shame in some fashion and cyber crime, which we've talked about on this podcast before, the fundamental differences between physical type attacks and crime and the effects of technology on it, such as the ability to act remotely, the ability to automate, the ability to script and not require much human intervention. And I just think it's a different, we have to start thinking of it as a different type of crime. One where the actions you take to inoculate yourself, matter more than a placing blame on the bad actor.

Kip Boyle: I can go along with that. So, Casey, what else did you find from your survey?

Casey Boggs: Yeah. And if I can quickly link the two, cause I actually both agree with both of you on this one, because Jake, your analogy about a germ is really intriguing. I agree with you. And then obviously Kip on the other side as well. Like whose the blame? So let's pretend it was a Measles outbreak or a Ebola that we want to make sure that everyone knows it's out there, highlight the awareness that there is an outbreak here. You may not necessarily be affected. You can pretend it doesn't exist, but boy, if it happens to come in your backyard and more and more are happening to you within your industry, within the community that you serve, and there's an issue going on, wouldn't you want to have that conversation? You can look at the Measles and blame them for being Measles-

Kip Boyle: Or blame a witch.

Jake Bernstein: inaudible

Casey Boggs: Yeah, or blame a witch that's right. It doesn't exist. But the idea here is that, all right, we need to have a conversation. What do we need to do? Wash our hands, go make sure you're checked out more frequently, those types of conversations, that's it. I mean, and this is a epidemic and there's no question about it. And so now, as opposed to hiding from it, just expose it for what it is and tackling it accordingly.

Jake Bernstein: And I think too, that the shame aspect will go away as more and more companies adopt quote reasonable security measures. There's no shame in getting sick if you've done everything you reasonably can do. There's always that risk, right? If you get a flu shot and then you get the flu, you don't spend weeks in a depression over how much shame you feel because-

Casey Boggs: Right.

Kip Boyle: Right.

Jake Bernstein: Because you got the flu anyway. It happens, there's a percentage risk. It's never, just like cyber security, no immunization is a hundred percent proof against a disease, particularly the flu. Similarly, as long as these companies, as long as corporations are able to do what is reasonable, then there shouldn't be shame in getting hacked. Hopefully, and ultimately another talk about epidemiology and herd immunity, the same thing is true of cybersecurity. Right?

Casey Boggs: That's right.

Jake Bernstein: If everybody is taking reasonable measures, then it makes everybody more difficult to hack, particularly when you look at supply chain compromises, et cetera.

Kip Boyle: Yeah. I mean, that comes back down to like, eradicating polio, right. Everybody's got to be vaccinated against polio in order for it to not have a host to land on and to be eradicated

Casey Boggs: crosstalk stuff in here, gentlemen.

Jake Bernstein: Well, it's the cyber hygiene metaphor taken to its extreme, and all from one one result. So maybe, what don't you go ahead and take us through to the next result.

Kip Boyle: Oh yeah.

Jake Bernstein: Of your, of your survey

Kip Boyle: Or we'll never, we'll never finish

Jake Bernstein: Exactly.

Casey Boggs: We got a lot to say. Well, there's quite a bit. And I encourage anyone who's interested to look at all the results that we have, but I think a couple different points were important for us to take a look at, but we looked at different industries, the competence level of an organization to protect private information. And the number one industry came up on consumer competence level was the bank and credit union industry, which I found was pretty interesting because our firm has been tackling or helping banks and credit union from the get go, on how can they mitigate against issues and reputation risks on as it pertains to cybersecurity. But the consumer, according to this survey said, hey, the banks and credit union, I got confidence. They're going to protect us. And I think that might have been a departure from three, five years ago, but right now, according to this list, they're number one. Then right behind them was the healthcare providers at 74%. And it goes on and on and on. But I thought that the bank and credit unions who have one of the most important things to people is their money, that the folks feel confident that they are protected in that arena.

Kip Boyle: I wonder why.

Jake Bernstein: You know what those two industries have in common, right? They're both heavily regulated and have had the longest period of strict rules around cybersecurity. So, gosh, it's almost like this proves in a fashion that regulation around cybersecurity works.

Kip Boyle: Well, certainly it has an effect on the perception, right? Because one of the things that I'm sitting here thinking about is, well, wait a minute. If I go out and do a Google news search on data breaches and hacking, and that sort of thing, I'm going to see so many articles on banks, credit unions and healthcare providers. In a way, it almost doesn't seem to match up to what's being reported in the news media. So I've still got a little bit of a question mark over my head.

Jake Bernstein: Well, I wonder if it has something to do with the types of attacks and the general baseline level of, kind of blame or shame if these, like we said not more than five minutes ago, there's no way to have a hundred percent perfect cyber security, which means that for the reasons that were just given, they have some of the most valuable data. They're always, always, always, always going to be attacked constantly.

Kip Boyle: Yeah.

Jake Bernstein: And so, it's not reasonable to expect that there's not going to be a baseline level of attacks in the media. It's just that they're not a big deal because they're otherwise doing what they can. And perhaps that means that there's attacks, but they don't result in anything major. There's nothing super embarrassing or damaging that comes out.

And you know what this makes me think of, is back when I was at the Attorney General's office, we had a concept that we would apply to large corporations. We just called it kind of the complaint baseline or the complaint profile of a company. When you're an Attorney General trying to do consumer protection enforcement, one of the things you're looking at is, well, what kind of complaints are we getting about this company? The thing is that you have to understand the complaint baseline because certain types of companies, namely telecommunications, cable providers, they always have a certain number of complaints. So you can't just say, okay we're going to sue whoever has a hundred complaints or more each month, because those companies have a thousand complaints each month just as a baseline. And I think it could be similar to what you're seeing with the banks, credit unions and healthcare providers in cyber, which is, sure people, yes, they're getting hacked, but people otherwise feel safe because, hey, that's just the baseline level of attacks that they're crosstalk

Kip Boyle: Yeah. It's sort of the noise, the ambient noise.

Jake Bernstein: Yep.

Casey Boggs: That's right.

Kip Boyle: What else did you find Casey?

Casey Boggs: Well, I've just got a couple different stats here, but I'll go with one last one. The part where if a hack does happen, the participant said 96% says corporations should publicly acknowledge an attack occurred and offer free credit monitoring for one year. I would think of course they would say that, but pretty much the majority, if not all of them said, okay, when it happens, you're on the hook. You need to provide us further protection. And even more to that point is that they should provide free credit monitoring for one year, even if there's no evidence that the information was stolen. So it's not like oops, we messed up or oops, your information is gone. No, just in general, the consumer is asking for more and saying you, corporation should be on the hook to protect our information and our data and do so now.

Jake Bernstein: Yeah. And that is so fascinating because it really says to me, that legislation is first of all, it's already coming and from many states, but it's the regulation and the legislation is on its way. And that level of agreement on the attitude kind of shows why. And just to beat a dead horse a little bit more, if you think of this as, should we be victim shaming or victim blaming, think about this, what value is there in telling the flu virus not to infect humans, just don't do it.

Casey Boggs: Right.

Jake Bernstein: It's useless, right? And it's just as useless as telling the Eastern European criminal gangs and mafias, or the Russian myth mafia or military, et cetera, just don't hack us. Please don't hack us. It's pointless. Right? And so someone has got to take responsibility. And I think that your survey shows exactly who people think should to be taking responsibility for this issue.

Kip Boyle: So I want to ask a question about that. So, if we were talking about bank robberies, somebody showing up at a bank branch with a gun saying, give me your dough. Do you think that the participants would still say that it's the corporation's responsibility? Or would they draw law enforcement into this, because I think law enforcement is missing from this equation here when it comes to cyber. So, Casey, was there any questions put to the people surveyed about the role of law enforcement? I really am curious.

Casey Boggs: The answer to that is no. See we had to limit it to a certain amount of questions. But I do know that the FBI and obviously law enforcement have taken an important role. And as we are in the thick of things, so for instance, if we do have an attack we're brought in one of the first phone calls we make besides our insurance and our legal advice and hopefully reputation firm, but would be the law enforcement because we want to report it.

Kip Boyle: Yeah.

Casey Boggs: And we want to make sure we can learn from it, but also mitigating against further damage. So they are a part of the equation, but was not part of this particular, but might be a good follow up question in future surveys.

Kip Boyle: So here's how I think that's relevant to our audience, so the people who are listening, this is something I think is important. So 96% of participants said that corporations should acknowledge an attack. And so what I think that gets to is people are in part saying that law enforcement really doesn't have a major role to play in preventing this stuff and dealing with it. And so I think as a cyber risk manager what that would tell me, is that I've got to step up here. I've got more burden on my shoulders in the case of a cyber attack than I would in the case of a physical, gun based attack. I don't know. That's a takeaway that I've gotten from this.

Casey Boggs: No, it makes sense. Yeah.

Jake Bernstein: Yeah. I don't disagree with that, but I think even that is starting to shift. If you think about the kind of requirements to run active shooter drills and the way that a lot of banks have literally rebuilt physically the buildings so that there's man traps and all this stuff. I mean, I think what we're seeing is a shift from, again, it's a question of what do we have control over? You can't control crazy. You can't control criminals. And you cannot control distant military or nation based hacking attempts. What you can control is how you prepare, deal with, and otherwise immunize yourself against those risks. And so, it's not really surprising to me to see these results. And I do wonder, honestly, these days, what the results would be if you asked someone who's at fault for a successful bank robbery? It would be interesting.

Kip Boyle: So, Casey, I'm wondering as we wrap up the episode here in a few minutes, what should our listeners takeaway from the survey? What's your perspective on takeaways from what you've learned?

Casey Boggs: Sure. And it just piggybacks on what Jake was just talking about, and that's really preparation. And there is two things going on when a cyber attack happens to fix the problem, business continuity and figure out what happened and do take all the necessary steps. But the other part too, is communications toward that problem. What do you do? How do you communicate? Who do you communicate to, those types of things? So let's simulate this ahead of time. So now that we know that this is a real and present danger and has been for a while, and that consumers are essentially putting the blame a lot of on the corporations, let's prepare for it. Why wouldn't yo? And so preparing for to do your best to safeguard your company through other different means and getting to make sure the business, there's no more disruption, at least mitigate the best you can on the risk, but from a reputation side, what can you do?

Well, have a plan in place. Have a task force that's been deputized to help in the communications of that and make sure that all the important parties are communicated to ahead of time. And then you go through the process of making sure that you are doing your best to communicate, educate, and do your best to make sure it doesn't happen again. And that's our job, is to learn from these lessons. It's going to happen, but let's prepare for it on our dime as opposed to during the fog of war and when the actual house is on fire. So let's do something about it now.

Jake Bernstein: Yeah.

Kip Boyle: Okay. So preparation, I was interested to know about cyber insurance. So we've talked about cyber insurance at different times in previous episodes. Jake and I, we agree that having cyber insurance is really important. Casey, from your point of view, does cyber insurance help with the reputation damage or the reputation issue? Where does that come in?

Casey Boggs: Yeah. So one of the first things when we're brought in, we actually are brought in a lot of time from the insurance. So we've been a vetted service provider from large carriers and they call us, usually when the attack happened. And so the coverage does cover public relations or reputation management, but that's simply just taking care of the problem when the house is on fire, if you will. There is coverage to that end and some of them are as large as $250,000 to $500,000 damage.

So there's a lot of policies that have public relations, but again, this is during and after. Where cyber insurance typically doesn't have coverage is the before aspect. And that meaning that the planning piece well as mitigation and, training of sorts. And that's where we're striving to make sure that's a part of the equation moving forward, not only with your insurance, but just in general companies, that this is critical because we like to say an ounce of prevention is worth the pound of care, right? You pay a little bit of money now to make sure you're prepared for it. It really goes a long way. The larger impact here is you're going to potentially have a huge, crippling damage to your brand, your image, the competency of your products and services based off those attacks, and might as well do some preparation ahead of time. So that's the whole idea.

Jake Bernstein: Just going to continue to play my role this episode and point out that is also a metaphor used in public health, ounce of prevention, pound of cure. The metaphor continues to write itself.

Kip Boyle: Yeah. I think it's a great metaphor to help all cyber risk managers. And I also believe that government should be looking at cyber risk in the same way that we do a public health problem. In fact, there's even a precedent for this because highway safety also benefited greatly when the thinking about highway safety was shifted from, it's not cool to wear a seatbelt or only weak people are concerned about automobile crashes, right? I mean, it was kind of, we were thinking about it in a very different way. And then when we started thinking about it in terms of public health, it really shifted people's perspective. It opened up all kinds of opportunities for us to do things that today, I mean, have driven traffic fatalities down a tremendous amount from where they were. I think cyber could benefit in the same way.

Casey Boggs: That's right.

Jake Bernstein: Absolutely.

Casey Boggs: All kinds of metaphors in airplane safety and fire events are prepared, when you're in an emergency exit row, you have your preparation ahead of time. The flight attendants are there to prevent this from happening. Crashes are probably not going to happen, but before they are, let's make sure you prepared. Cyber attacks are the same issue.

Kip Boyle: They are. And the NTSB in the United States does something that I really would like to see us adopt in the cybersecurity space, which is whenever there is a plane crash, there is a meticulous investigation of what caused that crash and they drive to the root cause and they spare no expense at doing that. I've seen some articles about the reconstruction of destroyed airplanes in giant-

Casey Boggs: Right.

Kip Boyle: hangers, so that investigators can sift through the rubble and figure out what exactly caused this aircraft to crash so that we can prevent future crashes. And, you know what, I don't see nearly the shame around aircraft accidents as we do in cyber. And so folks are open to the idea of having this root cause analysis performed because nobody wants to see another airplane crash. So we could really benefit from adopting that model as well.

Casey Boggs: I like it.

Jake Bernstein: Agree.

Kip Boyle: Okay. All right. So any final comments as we wrap up our episode, Jake?

Jake Bernstein: No, I think this has been really fascinating. I'd encourage people to check out the survey results and to plan for the reputation aspect of a cyber attack, just as as much as you prepare for the technical aspects.

Kip Boyle: And just to be clear, it's part of the NIST cybersecurity framework that you should have preparations for managing your reputation as you respond and recover from a breach. So, yeah. So it's baked in there as well. Casey, we really appreciate you joining us today, being our guest. Where can people learn more about you and your work?

Casey Boggs: Yeah. Well, thanks for having me. I really appreciate the conversation. It feels like we could probably talk for another hour.

Kip Boyle: I'm holding myself back.

Casey Boggs: That's right. Well, the website is reputationus.com the word reputation, us.com. And then if you want to learn more information about this specific through the cyber survey, it's reputationus.com/cybersurvey.

Kip Boyle: Fantastic. All right. Thank you for joining us today, Casey.

Casey Boggs: Thank you.

Kip Boyle: And that wraps up this episode of the cyber risk management podcast. Today, we learned about the effects of cyber attacks on corporate reputation and consumer confidence with the help of our friend and public relations expert, Casey Boggs. And we'll see you next time.

Speaker 1: Thanks for joining us today on the cyber risk management podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.