Unfortunately, it’s not a matter of if, but when a cyber incident or a data breach will hit your company.
According to Gemalto, in 2018 there were 945 companies that experienced a data breach, which is almost three per day. That means last year, 945 PR teams probably woke up on a random morning to a terrible crisis for which they were ill-prepared.
In looking closely at these crises, we can see a lot of mistakes that PR professionals make that amplify the issue. Here’s what we’re doing wrong:
1. Not starting early enough. Start a crisis plan, and start one now. I realize that it can be tough creating talking points for a crisis that doesn’t exist and hopefully won’t happen. However, having a plan and pre-approved talking points gives you a leg up. Have you ever stared at a blank screen wondering what to write or how to approach something? Perhaps it’s just me. Now imagine staring at a blank screen while your CEO is hovering over your desk. While a reporter is emailing questions. While you’re getting hammered on social media. Writing under those circumstances is exponentially harder. Take the top two or three crises that are keeping your CEO up at night, and start there. Remember that a crisis PR plan doesn’t have to be perfect, but you do need to perfect it over time.
2. Not sharing info quickly enough. Things move very quickly in a crisis, and facts can be hard to come by. In a cyberattack, you probably don’t know much more than something happened. You don’t know what happened, but something is wrong. There’s nothing wrong with saying: “We’re aware of an incident and are looking into it. We will share more information as we confirm the details.” That’s letting your audience know that you’re taking responsibility and will work to remedy the situation. Undercommunicating leaves your audience to fill in the blanks, which is particularly dangerous during a crisis.
3. Not having the right team. There are two ways to build a crisis team—by function and by temperament. For function, you’re going to need people on your team with a specific skillset. Marketing, product, legal, information security, PR, social, executive, maybe facilities or HR will need to be in the room, depending on the crisis. These functions will ensure that you don’t have knowledge gaps in addressing the crisis. The second function, temperament, is much more important than function. You need people in the room who are calm under pressure, detail-oriented, approachable, respected and confident. If you have someone with the wrong personality in the room, your crisis will be a stress-filled disaster.
4. Not building relationships ahead of time. When a crisis hits, you may find yourself working with teams you might not regularly interface with—perhaps your information technology team, facilities or HR. During a crisis, it’s important to have your team’s trust. The same applies with relationships with reporters. If a crisis were to hit tomorrow, who is the first reporter you’d reach out to? Build strong relationships ahead of time that will pay off down the road.
Hint: Everyone needs to eat lunch, so start there.
5. Not learning from your mistakes. The CEO of my former PR agency had a sign hanging in her office saying. “Let’s Make Better Mistakes Tomorrow,” and I’ve adopted that as my personal motto. To be honest, if you’re not making mistakes at work, you’re probably not pushing yourself hard enough. The best way to grow is to learn from those mistakes to make better ones next time. The same thing applies to crises. After the dust settles on every incident or crisis, we have a “Monday morning quarterback” session to identify what went well, and what should we do differently next time.
Hopefully with a bit of preparation you’ll be ready for when a cyber incident lands on your doorstep. Anything I missed? Feel free to share your top crisis tips below.
Kristin Miller is an affiliate consultant with Ragan Consulting Group. She has more than 15 years of PR experience, with a special passion for technology PR.