Teiss Head of Consulting Jeremy Swinfen Green looks at how some intangible assets that seem safe from hackers can still be badly damaged in a cyber-attack.
At a presentation on the Hermeneut project* at the Digital Catapult in central London this month, Dr Jorg Freiling of the University of Bremen explained how not all intangible corporate assets are equal.
Many intangible assets, such as data and information, are vulnerable to cyber-attacks. Indeed much of cyber security is concerned with protecting these assets and ensuring that they are kept safe, in line with the principles of Confidentiality, Integrity and Accessibility.
However, Dr Freiling suggested that there are many other intangible assets that also need protecting, assets that are harder to reproduce in a physical form. These assets, including skills, tacit knowledge and undocumented ways of working, are less likely to be stolen or corrupted by hackers simply because they are more intangible than data and information.
They can nevertheless be damaged in a cyber breach.
I am going to call informational assets that can be printed out in the form of physical documents “hard intangibles”. And I am going to call those non-informational assets that are harder to realise in a physical form “soft intangibles”.
Examples of hard and soft intangibles
Are these soft intangibles really at risk from cyber-attacks? I think so, and I’ll explain how.
A cyber breach can have a number of repercussions. Data or information that has been accessed by criminals can be corrupted, made inaccessible or shared with others. This can in turn cause damage to the organisation – damage in the form of fines, a requirement to compensate data subjects, or a loss of competitive advantage.
Some of this damage, such as a requirement to compensate customers, can be measured and protected through insurance. Other damage, such as a loss of competitive difference or damage to reputation, is harder to measure but may become evident over time in the form of lost sales or contracts.
But much of the damage remains hidden. It can’t be insured and the organisation that suffered the breach may not even be aware that it has happened.
First of all let’s take a closer look at these soft intangibles. They include:
- Human capital
- The knowledge people have, based on their experience, but which they haven’t shared in any structured way with their colleagues. This is often called tacit (as opposed to explicit) knowledge
- The skilled people that the organisation has managed to attract, and hopes to keep, in competition with other organisations
- The total set of skills that the workforce has, including the skills of managers
- The positive aspects of culture that the organisation has developed over time, including its approach to creativity and innovation
- The innovations that are emerging from, or being developed by, members of the workforce
- Organisational capital
- Any unique ways of working that the organisation employs that are more efficient than those of their competitors
- The ability of the organisation to deliver above-average quality in customer services
- Relational capital
- The alliances that the organisation has struck with third parties, including any strong supplier relations and any strong customer relationships, especially those that are demonstrated by contracts and agreements
- Reputational capital
- Brand reputation, the value that is tied up in consumer-facing brands; this value that makes them easier to sell or gives them the ability to be priced higher than other similar goods
- The “employer brand”, the attractiveness of the organisation as an employer to talented individuals
- The corporate brand, the way the organisation as a whole, and especially its leaders, is viewed by stakeholders such as regulators and shareholders and by society as a whole
None of these assets are easily translated into documents that can be stolen. Some can be expressed or described but any description is likely to be superficial and missing much of the complexity of the original asset.
For instance, I can turn my tacit knowledge into explicit information. But when I do so I will inevitably miss much of the essential parts of that tacit knowledge – my experience, my emotions, my decision pathways.
And I could describe the relationship I have with a customer by printing off a contract and describing the work I do for them. But the human parts of that relationship, the things that make the relationship work such as trust and reciprocity, will be missing.
Despite the fact that these intangible assets are hard to define and measure (perhaps with the exception of reputational capital), and rarely turned into information, they can be damaged by cyber breaches.
Damage to soft intangibles
Cyber breaches can damage soft intangibles by damaging trust, self-confidence, and the reputation of the organisation.
Trust between parties can be damaged. If a supplier loses your data then you will be less inclined to trust them in the future, with your data and quite possibly with other things such as delivering on time. Your trust in their competence is reduced.
This in turn may make you less likely to share information with them and less likely to give them the benefit of the doubt when other things go wrong. There is damage to your culture and to the established ways you have of working.
Damaged confidence and innovation
Confidence can be damaged. After a cyber breach, people may well be more risk averse, not just around data but around everyday operations. They don’t want to see another damaging incident occur and they certainly don’t want to be responsible for it.
So they work painstakingly – good, you might think, constantly asking for reassurance or asking others to take decisions that they should take – not so good! Skills are not used and innovation is reduced.
The reputation of the organisation’s leadership, and of the organisation itself, can also be damaged in the eyes of the workforce. “How did they let the breach happen?” They question the competency of the organisation and its leaders, becoming cynical and less engaged. Some people leave, taking their skills and their unique knowledge with them.
This damage to trust, confidence and reputation can have long term impact on the culture of an organisation, leading to timidity and risk avoidance, the fracturing of teams as people seek to avoid being held accountable or as a result of fear, and sometimes to a blame culture where people seek to punish rather than to learn when things go wrong.
Avoiding damage to soft intangibles
In any stressful situation it can be hard to stop thing getting worse and spiraling out of control. And this is particular so when you see damage occurring but don’t know why it is happening.
So to protect your intangible assets in the event of a cyber breach, the very first step is to identify those assets and accept that they may be under just as much threat as the information and data that are more directly affected by the breach.
Then if a significant cyber breach occurs there will be a need to identify whether any soft intangibles are likely to be damaged by the breach. It is almost certain that reputational capital will be damaged and there are a number of well-established techniques for dealing with that which won’t be considered here.
However the damage to human, organisational and relational capital is less well understood and imagination will be needed to identify where damage is occurring and what to do about it.
Have third parties such as suppliers reacted badly? If so this may indicate damage to relational capital which will require swift communication?
*Hermeneut is an EU supported project designed to look at the way that intangible assets can be protected from cyber crime