London-based risk management provider AON recently released its Global Risk Management Survey. Damage to reputation/brand remained the top ranked risk by businesses. While defective products, fraudulent business practices and corruption continue to be key threats to reputation, social media has greatly amplified their impact, making companies more vulnerable. Additionally, risks that are traditionally uninsurable are becoming more volatile and difficult to prepare for and mitigate.
“We are living in a challenging new reality for companies of all sizes around the world. There are many emerging influences that are creating opportunity, but at the same time, creating risks that need to be managed,” said Rory Moloney, chief executive officer for Aon Global Risk Consulting. “As the risk landscape for commerce evolves, businesses can no longer rely solely on traditional risk mitigation or risk transfer tactics. They must take a cross-functional approach to risk management and explore different ways to cope with these new complexities.”
Cyber risk protection is a key aspect of reputation management for corporate leaders, high net worth individuals and their organizations. We interviewed Kenneth Citarella, Senior Managing Director, Investigations and Cyber Forensics at Guidepost Solutions to gain insight into the most common (and often surprising) threats they face. Guidepost Solutions LLC is a multinational investigations firm specializing in monitoring, compliance, international investigations, and risk management solutions. Mr. Citarella’s areas of expertise at the firm include computer crime and fraud.
What are some examples of cybercrimes you have seen that could have been prevented with better due diligence and proactive risk assessment?
We were retained to investigate problems at a firm after it had hired a new CFO to oversee the design and implementation of a new computer network. The new CFO hired a personal friend as a consultant on the project. Then they conspired to overbill the firm and monitor the emails of key personnel. Simple due diligence would have disclosed the relationship. Also, it is important to remember that due diligence on a third party vendor who will have access to your network must include their cybersecurity practices. One of the most publicly scrutinized attacks on a retail chain began through its HVAC vendor. Incidents such as these illustrate how important it is to be aware of your network’s vulnerabilities so you can identify and implement preventive practices.
How have the new technologies used by corporations changed due diligence methods — and where do you continue to see vulnerabilities?
Due diligence methods have not changed that much. Internet-based research has been around for years. But the objectives and scope have greatly expanded. For example, if you are acquiring a company, you are not only concerned with their profitability, personnel, facilities and other traditional qualities, but with their digital practices as well. Can your networks be integrated? Are data protection procedures equivalent? Are your BYOD polices the same? Questions like these have to be addressed so that you are at least aware of the risks you are assuming. These questions are as necessary as evaluating internal financial controls and inventory. The issues are similar when evaluating third-party vendors. They handle your data and access your network. Their cyber vulnerabilities become yours.
What are the most common cyber threats facing high net worth individuals and their families?
High net worth individuals and their families face all the same cyber risks as anyone else, but they are also more lucrative targets and often have higher Internet profiles—of which they may not be aware. For example, information about a prominent executive may exist on multiple websites, including those of his employer’s, a conference he attended, and a trade association he is involved with, as well as on public media platforms. In addition, the executive’s children may be active on numerous social media platforms, leaking details of family and parental activities. From these rich sources, a criminal can mine enough details to craft a carefully scripted approach targeting a specific person (which is known as spear phishing). Far more sophisticated than the more general shotgun attempts aimed at the unwary public, these attacks will reference details of the target’s professional or personal life that only a genuine associate would typically know. That is what makes them so hard to resist. Add the fact many high net worth individuals have personal administrators for their homes or offices who answer emails and the risk escalates. Modern communications have effectively created a due diligence obligation for high net worth individuals to know and control their Internet profiles in order to minimize their risks.
If you could give them one piece of preventive advice, what would it be?
Assume you are at risk. Get educated about your vulnerabilities, address them and periodically reassess.
Cyber risk is in the news daily (and many more incidents are not made public). Can you provide examples of the type of incidents that are most damaging to corporate and executive reputations?
Recent headlines provide all the examples we need. Multiple retail chains have been hurt because they cannot protect their customer data. If the public hesitates to shop at a store because of data breach concerns, sales, income and stock price can all fall. Intrusions have destroyed emails and corporate assets, exposed embarrassing internal communications and identified people looking for sexual affairs. Reputation repair for the individual and the organization may take an extended period of time—or may not happen at all. A high-profile corporate or personal life in the 21st century requires adequate cybersecurity at home and at work as well as a protected and controlled Internet profile. Highly qualified professional assistance to secure those objectives is a must.
This is the third in a series of interviews with experts whose work relates to online reputation management.
Online reputation management is exploding as an industry. As it has grown, so have its components, such as social media management and search-engine optimization, as well as reputation monitoring, which has become much easier to execute thanks to the renaissance in Big Data. There are reputation advisers, branding companies and crisis management firms announcing reputation management services, reputation monitors, global brand and reputation managers at mainstream and public companies, and SEO companies rolling out new reputation management tools.
Venture-capital funded online reputation management firms are preparing to go public. Mainstream PR firms are approaching firms such as this one to explore partnerships and buyouts.
As the fifth anniversary of Reputation Communication’s founding approaches in June (the fourth of our incorporation), this is an appropriate time to revisit the essentials of online reputation management and look toward the future. As the industry continues to expand, it will divide into niches. There will be an increasing need for specialization within online reputation management services. The more you understand them, the better the choices you can make for your organization – or for yourself. So follow these posts in coming days and weeks to learn what you need to know.
You can also follow us @reputationnews for a bird’s eye view of reputation management issues and resources that impact the highly specialized practice of online reputation management.
