In today’s Insight, we are discussing crisis communications post-data breach and what to do if your company is hacked.
With an estimated 10 million data breaches a day, it is almost inevitable that your organization will be hacked. (Don’t feel bad – it even happened to the CIA). Cybersecurity company, Purplesec, estimates that cybercrime is up 600% since the outbreak of COVID-19, as millions of individuals leave their relatively secure corporate networks and work from home.
Damages suffered by individual companies – loss of revenue, compliance fines, loss of customer data, ensuing lawsuits, forensic IT services, data restoration services, and PR fees – pale in comparison to the potential damage the loss of public trust can have on a company’s reputation.
Companies need to prepare for an eventual breach to react with speed and agility to maintain customer trust and mitigate losses. Below are four ways to respond to a cybersecurity breach.
1. Have a Crisis Team in Place:
Since we know a breach is an eventuality, not a possibility, it pays to plan. Play out the worst-case scenarios and develop a small crisis team in advance; clearly assign roles, spokesperson(s), and pathways for communication. This team should include key executives from the C-suite, legal, IT, cybersecurity, and PR. Some cyber insurance contracts will cover breach coach services, which can help you navigate any legal notification requirements triggered by a breach– along with professional service vendors covered under the policy. Know your coverage and what it covers before disaster strikes.
2. Respond Quickly, Accurately, and Sincerely:
When a customers’ personal and financial information is lost, they will rightly feel vulnerable and angry. The best way to control the narrative is to ensure you’re the one delivering the bad news first, with a sincere apology. People’s personal lives and information is often at stake, and they will appreciate a human and empathetic response. This isn’t an admission of liability, but rather a display of concern for those impacted by the breach. Advise customers on how they can protect themselves and what you are doing to find a solution.
Once the breach is announced, it is critical to be honest and accurate about what you know, when you knew it, and what you are doing about it. Don’t rush to make declarative statements without knowing all the facts; don’t cover up an incident hoping no one will find out. (Just ask Uber’s former CEO, Travis Kalanick, who concealed a major security breach for over one year, paying hackers nearly $100,000 to keep it quiet). Making claims that can later be knocked down will only further erode public trust. As security journalist, Graham Cluley wrote: “You can ask forgiveness for being hacked, but many people will find it harder to forgive and forget if you deliberately concealed the truth from them.”
3. Create Clear Channels of Communication:
Customers, stakeholders, media and employees will all want answers after news of a breach hits. To keep audiences informed and prevent corporate websites and social media channels from being overwhelmed with negative comments and inquiries, consider creating unique and distinct resources, they can go to more information. This can include call centers, a breach microsite, or unique social media channels dedicated to answering questions and providing information. Be sure that each audience has a pathway for communication and a company representative who has the training to handle these responses.
4. Consider Restorative Services:
If your company has the resources (or cyber insurance coverage) to support it, offer restorative services to clients– such as free credit monitoring or identity theft protection services. These are great ways to help soften the blow of the breach. While this won’t buy back trust, it can help underscore that the company cares and wants to make things right.
Today, when we think of cybersecurity, most companies know they need good firewalls and IT protection. With threats around almost every corner, organizations need a thoughtful crisis response strategy that mitigates fall-out and rebuilds public trust.
Thank you for reading our Insight on crisis communications post data-breach. Check out Jessica’s Insight,“Who Your Spokesperson Should Be In a Crisis Situation”, for tips on determining who in your company should handle the crisis situation.
Posted In Crisis Communications