In today’s evolving business landscape, trust is paramount—but it’s getting harder to earn and easier to lose. According to PwC’s
2024 Trust Survey, trust in institutions is declining and 94% of business executives say they face at least one challenge when building trust with their stakeholders. Both consumers and employees alike emphasize the significance of data protection as a fundamental element in earning their trust.
If we take a step back and think about the broader implications of trust—it permeates beyond any one individual company’s success or failure. Trust is vital to upholding the entire ecosystem in which all businesses operate, and the erosion of trust has considerable consequences for everyone.
Maintaining a strong cyber posture is a great way to build trust with stakeholders, and it’s become even more critical as the tools, technologies and tactics deployed by threat actors have grown in sophistication.
Cybercrime as a service: A trust annihilator
The proliferation of ransomware around the globe poses a critical threat to business trust. In an ecosystem where cybercrime as a service is the norm, criminal groups can acquire everything they need to deploy a costly ransomware attack to include the malware, potential victim access and customer support for their criminal activity. It’s now easier and more lucrative than ever before to deploy a ransomware attack, exacerbating the vulnerability of companies not only to data breaches but to breaches of trust. PwC’s
Global Digital Trust Insights survey (DTI) underscores this risk, with the proportion of costly cyber breaches ($1M+) increasing since last year.
We know it’s not a matter of if, but when a company will find themselves in the crosshairs of cybercriminals. As threat actors become more sophisticated in their methods of deploying ransomware attacks, the stakes for companies have risen — stakeholders are closely observing how these incidents are handled. Companies are evaluated and held accountable for the impact of an attack on their operations, their transparency in communication with stakeholders, the potential effects on third-party partners and the speed of their recovery efforts. With the scaling collateral impact that today’s ransomware attacks can inflict, building resilience is a critical strategy for defending against cyberattacks and safeguarding trust.
Building resilience: How to become a steward of digital trust
According to DTI, only the top 5% of companies, or ‘stewards of digital trust’ as we call them, are taking the proper measures to bolster resilience. From getting the basics right to comprehensive table-top exercises at the operational, executive and board level—these companies are charting the course for what an effective, robust cyber strategy looks like:
- Master the basics: Companies often overlook the importance of basic cyber hygiene, which does not eliminate, but significantly reduces the risk.
- Tip: Tactics such as utilizing multi-factor authentication and making sure remote desktop protocol (RDP) is not internet-facing are powerful investments.
- Plan for everything: Top companies drive synergies across teams — aligning incident response (IR) and crisis management, disaster recovery and business continuity planning. Through collaboration and strategic foresight, they cultivate readiness, instilling trust across the team to adeptly respond to any scenario.
Tip: Your organization might be faced with a pay-no-pay decision. Determine whether making a ransom payment aligns with your corporate values. If not, are there any occasions when you would pay it anyway? What are they and what factors would you consider when making the decision? Most importantly, determine the process which will be used to make the decision and ultimately who in your organization is going to make the final decision.
- Practice, practice, practice: Ransomware attacks typically put a 72-hour window over companies to respond — and performing tabletop exercises is critical to understanding whether the best laid plans are in fact, the best. It’s key to execute these plans at an operational, executive and board level, as they allow people from across the organization to address unanswered questions and shrink the decision space. When these exercises uncover an issue—refining the plan, adjusting accordingly and practicing again is the best recourse.
-
Tip: Talk to your board about what you would disclose to the markets, the process to make the pay-no-pay decision and trading halts. You should understand the value proposition of law enforcement contact, determine who is going to contact law enforcement and when. Understand who has established relationships with law enforcement because the worst time to try and develop a relationship is in the middle of a crisis.
- Strengthen communication and documentation: Regularly revisit and update communication plans, with a focus on clear record-keeping for transparency. Tailor communication strategies to address the specific needs of different audiences and scenarios, fostering trust and confidence among stakeholders.
-
- Tip: Prepare for how you’ll communicate to your internal and external stakeholders. Determine what you are going to say, when you’re going to say it and how you’re going to communicate it if your enterprise systems are unavailable. Make sure you have draft communications for the most probable scenarios that can be tailored during the incident rather than drafted from scratch.
Tactical, operational and strategic preparation can help preserve trust during a cyber incident and fortify your response strategy, affording you the advantages of speed, accuracy and transparency.
Cybersecurity is the ultimate team sport
Involving key players across the enterprise is vital during the preparation process — their input and collaboration are essential to your company’s readiness, executing an effective response and maintaining trust when it matters most.
Every organization must also recognize its broader role in the ecosystem. We’re all part of a larger ‘team’ beyond our own walls. When breaches occur, it’s not just a single company’s
reputation on the line; it impacts investors, consumers and citizens. It also can prompt regulatory response to enforce greater transparency, like we’ve seen with the
SEC’s cyber rules or
CIRCIA and CISA’s proposed rule for critical infrastructure. New regulation necessitates companies to invest in cybersecurity, shifting their approach on risk management and reporting. It’s a cycle that may continue until transparency, accuracy and resilience are prioritized not just by one, but by the many.
If ransomware is the disease, building trust is the cure
It’s paramount to lean into transparency and accuracy, not only for businesses' own self-interest, but the greater good of our collective ecosystem. Cyberattacks are a communicable disease—we often refer to “computer viruses” for a reason. It’s also important to view the erosion of trust the same way.
By building transparency and accuracy into your approach and proactively preparing a robust strategy, your organization can respond to cyberattacks with greater confidence. This strengthens your defenses against the ‘disease,’ drives resilience and positions your company as a steward of digital trust.