Not a week goes by where a data breach doesn’t rear its ugly head – recently we have seen Tumblr and LinkedIn fall victim to cyber attacks, while TalkTalk, Sony and Target have become big name brands synonymous with the ‘mega breach’ moniker, seemingly mentioned in every introductory paragraph of data breach rhetoric. MySpace is reportedly the next giant to be exposed in a mega breach, rumoured to be the biggest data breach yet – though we will have to wait to see if this accolade materialises.
In CBR’s data breach series, we have told you how to identify if a data breach has hit your business, followed with what to do in the first few critical hours after discovery. Response to a data breach must be led by quarantine, blocking the threat and removing the malware or vulnerability. However, there is a non-IT side to every response plan – a side which is just as important as the technical response in the mitigating of damages to the business.
When we talk about mitigating damages, it may be more helpful to dispose of the corporate speak and call a data breach for what it is – a potential PR disaster which could decimate the reputation of any business, big or small. It is brand reputation which Matthew Raven, Blabit CMO, argues should be the immediate focus following any breach.
Talking to CBR, Raven said: "If a breach has actually taken place the primary concern in the immediate term is the impact on corporate reputation, so the focus of leadership must be on damage limitation, carefully managed communication and, as far as is possible, transparency. Customers have to know the implications of the breach and what they can do, if anything, to protect themselves from further harm."
Transparency, as Raven mentioned, is key to avoiding a PR disaster. That transparency needs to be directed three ways – to the customer, to the employees, and to the regulators or authorities. This is where the non-IT team needs to be assembled – PR, HR, Legal must come together and act fast. We have talked about speed when fighting a data breach on the technical side, but the non-IT teams need to be just as quick, as Fred Ghahramani, founder and CEO of private messaging app Just10, told CBR:
"BP wouldn’t wait a month to make a statement on an oil spill, because that period of silence creates a vacuum, into which can get sucked in speculation and false accusations, which when not refuted, would negatively impact the brand and the public’s perception of the organisation.
"It’s extremely important to "own" the data breach from the very moment that you become aware of it. Inform the customers impacted, educate and guide them through how to mitigate further losses, and be transparent about what you know, and what you are investigating. Provide frequent updates and communication, and don’t evade questions from customers, the public, or the media"
Customers impacted by the data breach must be informed, as Ghahramani says, communicating with the one group of people who makes your business money is key to keeping their custom going forward. This speed in response and communication also needs to be repeated when dealing with your employees – at the end of the day they need to know what’s going on. Nick Hawkins, EMEA MD of Everbridge, the comms company Sony used during their break-in, highlighted the dangers of not communicating with employees to CBR:
"In the event off an emergency, customer service and support teams could be flooded with calls from worried customers or employees. In the era of social media stories can quickly explode and cause mass confusion to make communicating in an emergency even more difficult.
"The faster IT staff can identify and fix the problem, the lower the impact on company productivity. The earlier customer support teams know what is going on, the better their response to customers is likely to be. The earlier the marketing department can understand what needs to be communicated on websites and social media, the lower the impact on the company’s reputation."
Transparent communication is key – yet companies are still trying to dust data breaches under the corporate carpet. You only need look at the infamous 2013 data breach which hit Target as a case study on how not to deal with a data breach. 40 million customer payment cards compromised, yet Target didn’t come clean and the data breach was exposed on a blog by Brian Krebs.
It then got worse…customers could not reach the company due to the customer service line being jammed and banks were not notified about the compromised card details. Do you see the theme about the lack of communication here? This all led to the CIO and CEO resigning, an estimated £200m in costs related to the breach and Target’s share price losing, shall I say, stability.
Target is a case in point that without effective, fast, transparent, honest communication, a brand can nosedive in the reputation stakes. On this side of the pond, TalkTalk was hit for £60m and over 100,000 customers. And yet, there are some breaches which prove the strength of good crisis comms integrated in incident response planning. Mike Fenton, CEO at Redscan, told CBR that eBay should be looked at as the way to handle a breach.
"As they identified the breach early on in the process, the company was able to advise its customers of what was taken, what they should do to protect themselves and what steps the company was taking to remove and protect against the threat.
"This made eBay look competent, it contained the damage and the situation was dealt with efficiently."
However, a data breach will always bring a retinue of criticism and customer backlash. The argument is that it shouldn’t have happened – an easy argument when you are a consumer and are not aware of the shifting complexity of the threat landscape. However, as Fred Ghahramani argues, customers could learn to forgive if the data breach is handled in the right way.
"At the end of the day, customers are willing to forgive a brand or organisation that suffers a data loss, if the organisation’s handling and communication in the time of crisis seems genuine, forthright, and transparent. A little bit of preparation and planning can be a great insurance policy to making this happen."
Preparation and planning on the non-IT side must be integrated into a strong incident response plan. Crisis comms is essential in protecting your corporate brand, protecting your customer base, and protecting the future of your company following a data breach. As Alexander Seyf, Partner at Sytel Reply, told CBR:
"Notification and management of the situation is crucial. It is important organisations avoid the PR disaster that comes with being exposed. In order to reduce the consequences of a breach, all businesses should put a plan in place for communicating breaches to key stakeholders which must include clients/customers, partners and suppliers, employees, social media, press etc."
We all know the much quipped ‘not if, but when’ quote when it comes to data breaches – these data breaches and mega breaches are not going to stop happening. When it happens to you, here’s hoping you deploy the holy trinity of crisis comms – honesty, transparency and speed – it might just save your business and your reputation.