When your organization suffers a data breach, getting ahead of the fallout, and staying on top of communication throughout the response, is essential, as breaches can negatively affect business and your reputation. With cyberattacks on the rise during the COVID-19 pandemic, it's crucial to know how you will respond in the event of a breach. For better or worse, most consumers now realize that cyber breaches are inevitable. "How you manage an incident is more important than the incident itself," says Siobhan Gorman, a partner in the Washington D.C. office of the Brunswick Group, where she focuses on crisis, cybersecurity, public affairs and media relations. "You will take less of a reputational hit for having an incident if you manage it well." Here are four tips for communicating after a cybersecurity event.
Create a plan
Companies should create data breach response plans that address not just technical aspects but also communication and reputation management. Gorman says it should include key decision-making processes, noting who will make the decisions, their roles and responsibilities, and specific scenario details. Communication templates can be prewritten, then adjusted during an event. "It's much easier to gain consensus between the communication, legal and technical teams about the basic things you could say, in a no crisis time," Gorman says. Decisions made ahead of time might include whether to offer credit monitoring and which breach response steps the company wants to share, showing it takes cybersecurity seriously. Companies should make as many communication decisions ahead of time as possible, minimizing it during the crisis period. "You don't want to be dealing with it for the first time then," she says.
In an ideal world, Gorman says, companies should only communicate once or twice during an incident. The first is on the front end, letting stakeholders know you're investigating the incident. The second is if you need to share your findings in a high-level summary to the stakeholders, which may also include the public. Even when communicating to employees, Gorman says you should assume it will be shared externally. "The key decision rule around updates is don't provide any details you wouldn't stake your job on, because you might have to," Gorman says. Take time to think through the situation, says Jason Maloni, president at crisis management public relations firm JadeRoq. Leadership often responds too quickly, which results in saying the wrong things. Leadership, legal counsel and forensics should initially evaluate what's known, what you still need to know, and what you need to do now. Maloni, who has handled more than 500 cyber breaches in the last decade, says that while there are dozens of questions to anticipate ahead of a difficult disclosure, he recommends focusing in on these three:
- What happened?
- What are you doing to fix it?
- What are you doing for me?
Sometimes the best answer is "we're aware, and we're investigating," he says. Investigating can take time. The BakerHostetler "2019 Data Security Incident Response Report" found it took 28 days on average to complete a forensics investigation, meaning answers may not be available to stakeholders for more than a month.
"Every company is a data company." —Siobhan Gorman, partner, Brunswick Group
Prioritize your stakeholders
Leadership should prioritize your different stakeholders as it relates to communication. For business and regulatory reasons, you may need to reach out to different groups at different times. That might include doing a regulatory filing first and then publishing a public announcement. Or the business partners may need to hear directly, rather than from a news report or external source, Gorman says.
Address audiences where they are
If your stakeholders are on social media, that's where you should engage with them, Maloni says. With employees, you might find that it's best to meet with them directly, especially if there are rumors going around. It's important to rely on the existing communication channels and the people who typically share this type of news. "If you hear from the CEO in the first communication, that tends to be alarming," Maloni says. However, different circumstances may require stronger measures. A large data breach from a major credit agency would warrant a CEO response rather than a generic company announcement. No matter what business you're in, you should have a plan for how to handle a data breach. "Every company is a data company," says Gorman. Most companies maintain a significant amount of data, and companies of all sizes should plan for data breach communication ahead of an incident. "Just because a company is small doesn't mean someone won't come after you," she says. Smaller companies are targets because they hold data from larger companies. Hackers may presume it's easier to get the data from third parties. "If there's a data breach and they lose a major company's information, that can have an outsized effect on their business," Gorman says. And the communication response to that breach can make or break the company.