Cyber breaches worry companies more than any other crisis, according to a study conducted by law firm Morrison & Foerster and Ethisphere. Only 34.1 percent of respondents said that they feel “very confident” about how useful their crisis plan would be in the event of an actual breach or other PR crisis.
Cybersecurity breaches have legal, compliance, and risk executives on high alert—and with good reason.
The Identity Theft Resource Center (ITRC) reports that a total of 9,668 security breaches from Jan. 1, 2005, to Nov. 30, 2018, exposed a total 1,643,148,162 potentially sensitive personal records.
Criminals are stealing more data from companies, and data breaches are publicized more frequently, the ITRC states. It’s difficult to determine if there are more security breaches now than ever before, since more companies now reveal breaches due to laws or public pressure, it says.
A few high-profile examples include Equifax, Target and Yahoo. The data breaches allow theft of customers’ sensitive personal information. After a breach, the company stock price may plunge, at least temporarily. An ensuing PR crisis may seriously damage the brand’s reputation and customer relationships.
“When a breach is revealed, the attacked company is portrayed not as a victim, but as negligent and, in a subtle way, complicit in the event that ultimately exposed partners and customers,” writes Steve McGaw, CMO of AT&T Business Solutions, for the PRSA.
Preparation is the best defense. A security breach is possible no matter how skilled your IT team. Create a communications plan for security threats that establishes clear protocols for how to respond and how to inform the public and stakeholders. “The worst thing you can do for your brand once news of a breach hits is to have to scramble to find out who to work with to understand the issue, who is communicating to what audience, and who needs to be looped in,” McGaw says.
Benchmark and train. Companies are more likely to be confident in their crisis management plan when they regularly benchmark against best practices, conduct drills on key risk areas at least once a year, and name a formal crisis management team, according to Morrison & Foerster and Ethisphere.
Establish the facts. When a data breach occurs, the first step is to hold a “what do we know session” that includes top-level executives from legal, PR, security, IT and any other relevant department. The purpose is to determine what data was compromised, the number of people impacted and potentially impacted, how they should be alerted, if the security hole has been fixed and what law enforcement agencies have been notified.
Communicate. Promptly and honestly disclose what you know. If you’re still searching for answers, say it. People don’t expect you to know all the answers immediately, but they do expect communication. Ongoing updates as the crisis evolves is crucial for maintaining trust. Communicate directly, not through the press, with the affected individuals. Setting up a special website or an easily accessible page on the corporate website gives those individuals and the press a central location to obtain accurate information.
Create a war room. A 24/7 hotline to a contact person or department handling inquires and a script responding to questions can ease the communication flow. Prioritize media queries.
Use simple language. Cybersecurity is a complex field full of abstruse jargon. Such esoteric vocabulary can mystify the public and journalists, ultimately creating distrust. Simple and clear language is best.
Take responsibility. Apologize for the inconvenience and disruption. Sincerely. Without excuses. To start rebuilding trust, the apology should include an indication of steps being taken to protect affected individuals, to resolve the issue and to prevent further problems. Owning up to the breach can restore trust in the organization. A clear statement detailing what steps will be taken to avoid future breaches is vital, writes PR crisis specialist Emily Dent for Computer Weekly. Taking responsibility implies that the organization intends to make sure it doesn’t happen again. Blaming hackers or others implies that the issue is out of the company’s hands.
Keep key stakeholders continuously informed. Involve top management in actions during the crisis and the preparation of the crisis communications plan. Without timely information, conjecture and rumor can spread. However, experts recommend against releasing all the details of a breach. “We typically would not communicate all the details of a breach to all employees,” Chris Leach, chief technologist for HPE Security Services, told MIT Technology Review. “We’ll only share enough to make sure they’re confident that we’re handling it, and that this is information they could, and should, share with their customers.”
Monitor media and social media. Close monitoring of social media enables you to know about any misinformation among the public and to know when people say something that requires an immediate response.
Bottom Line: Data breaches remain an on-going threat. It’s essential for corporate communications teams to prepare contingency plans. A swift response, taking responsibility and explaining how the organization will prevent future breaches are key to restoring trust.
William J. Comcowich founded and served as CEO of CyberAlert LLC, the predecessor of Glean.info. He is currently serving as Interim CEO and member of the Board of Directors. Glean.info provides customized media monitoring, media measurement and analytics solutions across all types of traditional and social media.