Employee Login

Enter your login information to access the intranet

Enter your credentials to access your email

Reset employee password

Article

Protecting Your Reputation in the Wake of MOVEit and Software Supply Chain Cyberattacks

August 17, 2023
By Spencer Girouard and Alexander Lyall

The ongoing MOVEit vulnerability has become one of the most significant cybersecurity issues in recent years. Several hundred companies have reportedly been affected to date, with the potential of thousands more globally and across nearly every sector.

Unfortunately, this situation is only the latest example of a growing cybersecurity trend: attacks on software vendors that can result in millions of individual victims. The SolarWinds attack in 2020 may be the highest-profile example of this type of event, but in recent months, other examples include a business communications software provider and a developer platform.

It’s imperative that leaders consider the reputational implications of an attack stemming not just from internal systems, but from anywhere within their software ecosystems — including vendors.

The FleishmanHillard Cybersecurity practice has supported multiple clients affected by MOVEit and numerous other breaches. In helping these clients effectively protect their reputations while dealing with these matters, we have identified notable trends that others should consider.

What to Consider When Communicating About a Cyberattack

  • Accept accountability while providing context.

In cases where MOVEit or another compromised software was used by a vendor rather than by the company, that company may have the option to allow the vendor to disclose the breach to the affected individuals directly. Before choosing a path, the company should weigh this choice against their stakeholder’s expectations.

  • Consider all audiences and be prepared.

Organizations may receive questions from stakeholders regarding risks associated with MOVEit. When deciding when and how to communicate — whatever your level of exposure — have a plan that balances transparency without causing undue alarm.

  • Take a long view.

Examine your current risk and ask yourself: Is the data I collect essential for conducting my business? Will my stakeholders be surprised by the data I collect? How many third parties receive that information? What are their data privacy standards and practices?

  • Prepare ahead of time.

Experiencing a data privacy issue is no longer a question of if, but when. These attacks are increasingly more sophisticated and common — a trend that will only continue. While a data security incident by itself does not necessarily represent a reputational crisis, failure to meet your stakeholders’ expectations regarding your level of preparedness and ability to respond in a manner that is transparent and timely could result in long-term reputational damage. To maintain that trust and protect business continuity, it is critical to have a communications plan that is up-to-date and takes these nuances and possibilities into account.

You can reach the FleishmanHillard U.S. Cybersecurity Practice Group at [email protected].