In March, editors at the Associated Press Stylebook officially proclaimed that the word cyberattack is “greatly overused”, and clarified that the term should only be employed when it refers to significant and widespread destruction.
By any measure, the AP Stylebook is a credible source. It was first published more than 60 years ago and it’s since become a widely used grammar and style guide for American journalists, publishers, PR companies and marketing departments.
The journal’s lead editor Paula Froke said the editorial team had consulted one of the AP’s top cyberattack experts. “They were unanimous that the word is greatly overused for things like hacking. We caution that the word cyberattack should be used only for significant and widespread destruction,” she said.
I’m all in favour of anything that deflates unhelpful hype around security. I’m not convinced that the most suitable replacement for ‘cyberattack’ is ‘hacking’, though. ‘Hack’ is yet another loaded term with multiple meanings, not all of them malicious. One person’s online onslaught is another person’s convenient workaround. Personally, I prefer the term ‘security breach’.
Like the AP’s resident expert, I think the word ‘cyberattack’ is employed far too liberally. I’ve seen CEO fraud described as a cyberattack when in fact a more truthful and accurate description is criminals taking advantage of poor organisational procedures. If a CFO receives an email that seems to come from their boss, urgently asking to send money to an unauthorised account, that’s not a cyberattack. That’s fraud.
(For the record, I don’t mean to make light of someone else’s difficulty. Any individual or organisation that has suffered a security breach is the victim of a crime. That can get forgotten very quickly. But sympathy and goodwill have a similarly short lifespan in the face of ham-fisted attempts at portraying that crime as something other than what it is.)
The main culprits are companies who use and abuse the ‘a-word’ when describing a breach against themselves. They often compound their offence by propping up their argument with words like ‘sophisticated’ or ‘co-ordinated’, even when the incident has been recently discovered, never mind thoroughly investigated.
In such cases, it’s hard to escape the suspicion that victim organisations reach for these terms as a shield to deflect blame. By definition, they imply the incident was beyond their means to prevent. On a related note, Joseph Carson and Amar Singh have written a good article debunking the ‘myths’ of sophisticated cyber attacks for Security Magazine.
But if there are certain things that shouldn’t be said about describing a breach, what words should be used instead? In a recent episode of the Securing Business podcast, the editor of TechPro magazine Paul Hearns shared some good advice about how businesses should communicate with the media after a breach.
He urged companies preparing a statement to deal only in verified facts rather than straying into the realms of speculation and proclaiming the sophisticated nature of the attack if that can’t be proven. Helpful answers, in business terms, include details like the extent of users or services that have been affected by a breach.
There’s a positive side to communicating proactively with the media, customers, suppliers, business stakeholders or other interested parties when news emerges about a security breach. Paul Hearns argued that a well-handled incident can enhance the reputation of an organisation that experiences an incident – provided that organisation communicates its message clearly without over-reaching.
Developing a communications strategy is an important part of any incident response plan, and as the AP’s move shows, it’s worth thinking about the language we plan to use. It may take some time for the lesson to be absorbed in boardrooms and public relations departments, but if it helps to reduce the spectacle of companies reaching inappropriately for words like ‘cyberattack’, then the AP will have done the business world a favour.