Cybersecurity breaches have legal, compliance and risk executives on high alert—and with good reason.
The Identity Theft Resource Center reports that a total of 9,668 security breaches from Jan. 1, 2005, to Nov. 30, 2018, exposed more than 1.6 billion potentially sensitive personal records.
Criminals are stealing more data from companies, and data breaches are publicized more frequently, the ITRC states. Consider the high-profile cases involving Equifax, Yahoo and Target.
It’s difficult to determine whether there are more security breaches now than previously, the ITRC says, given that more and more companies reveal breaches because of legal requirements or public pressure.
Data breaches usually involve theft of customers’ sensitive personal information. After a breach, the company’s stock price might plunge, at least temporarily. An ensuing PR crisis can damage the brand’s reputation and customer relationships.
“When a breach is revealed, the attacked company is portrayed not as a victim, but as negligent and, in a subtle way, complicit in the event that ultimately exposed partners and customers,” Steve McGaw, CMO of AT&T Business Solutions, writes for the PRSA.
Here are nine practices for readiness and response:
1. Prepare. A security breach is possible no matter how skilled your IT team is. Create a communications plan for security threats, establishing clear protocols for how to respond and how to inform the public and stakeholders. “The worst thing you can do for your brand once news of a breach hits is to have to scramble to find out who to work with to understand the issue, who is communicating to what audience, and who needs to be looped in,” McGaw says.
2. Benchmark and train. Companies are more likely to be confident in their crisis management plan when they regularly benchmark against best practices, conduct drills on key risk areas at least once a year, and name a formal crisis management team, according to Morrison & Foerster and Ethisphere.
3. Establish the facts. When a data breach occurs, the first step is to hold a “What do we know?” session that includes top executives from legal, PR, security, IT and any other relevant department. Determine what data was compromised, the number of people affected and potentially affected, how they should be alerted, whether the security hole has been fixed, and what law enforcement agencies have been notified.
4. Communicate. Promptly and honestly disclose what you know. If you’re still searching for answers, say so. People don’t expect you to know all the answers immediately, but they do expect candor. Ongoing updates as the crisis evolves are crucial for maintaining trust. Communicate directly, not through the press, with the affected individuals. Setting up a special website or an easily accessible page on the corporate website gives those individuals, as well as journalists, a central location to find accurate information.
5. Create a war room. A 24/7 hotline to a contact person or department handling inquires and a script responding to questions can ease the communication flow. Prioritize news media queries.
6. Use simple language. Cybersecurity is a complex field full of abstruse jargon. Such esoteric vocabulary can mystify the public and journalists, ultimately creating distrust. Simple, clear language is best.
7. Take responsibility.Apologize—sincerely and without excuses—for the inconvenience and disruption. It’s essential that you outline your intended steps to protect affected individuals, to resolve the issue and to prevent further problems, PR crisis specialist Emily Dent asserts in Computer Weekly. Taking responsibility conveys that the organization intends to ensure it doesn’t happen again. Blaming hackers or others implies that the issue is out of the company’s hands.
8. Keep key stakeholders informed. Involve top leaders in actions during the preparation of the communications plan and the crisis itself. Without timely information, you risk the spread of conjecture and rumor. Still, be judicious. “We typically would not communicate all the details of a breach to all employees,” Chris Leach, chief technologist for HPE Security Services, told MIT Technology Review. “We’ll only share enough to make sure they’re confident that we’re handling it, and that this is information they could, and should, share with their customers.”
9. Keep tabs online. Close monitoring of social media enables you identify any misinformation circulating and to know when you should respond immediately.
A version of this post first appeared on the Glean.info blog.