It’s an unavoidable fact: Cyberbreaches are increasingly becoming an expected part of doing business. According to an AT&T Cybersecurity Insights report, 62% of organizations surveyed acknowledged they were breached in 2015. So what can businesses do to protect their assets, customers, and reputation? An incident response plan that includes a sophisticated post-breach communication strategy is key.
Most folks in business now recognize that post-crisis communication can make or break a company’s reputation, standing as proof that the organization is or isn’t dependable and transparent. A case in point is the large national health care provider that in 2015 won widespread kudos for rapidly reacting and notifying the media to a major data breach. By working with reporters, they were able to get their message out quickly, alerting the public to the effects of the breach and their planned responses.
But post-crisis communication techniques aren’t static. As communication technology evolves, the means and rules for getting the message out must change too. For some, the newest wrinkle in crisis communications is social media, with its reduced response time of hours rather than days. And that’s the potential danger. Social media’s role should be supportive of the overall communication plan and not as a reactive driver. Throughout a breach, the social media team should monitor social outlets, tailoring responses to the company’s strategic communication plans.
Trust but verify
Without regular testing, a post-breach communication plan can get stale if it sits on the shelf. New threats, new business technologies, and new employees can render any plan obsolete and useless in the midst of a crisis. Regular tabletop exercises ensure that a team can act swiftly and confidently, whatever the type and size of the breach.
“It’s important to work with real-world scenarios,” says Todd Waskelis, executive director of Security Consulting Services at AT&T. “If someone from the media calls, how is that handled? Are they routed to the authorized PR contacts? You’re trying to gauge how well people understand the plan, how well they’re working together under pressure, and where the gaps are that need to be reinforced.”
Practicing also serves to minimize the opportunity for an organization to appear disorganized. In 2015, employees at a popular online auction site fell victim to phishing emails, resulting in the loss of personal information for millions of users. The company came under criticism for not informing its customers quickly – in fact, most learned of the breach from the media – and for the lack of promised information on its website.
Calm, cool, and collected
While every response plan is unique, a robust post-breach communication plan can avoid major missteps with these best practices:
- Respond quickly but resist the instinct to over-communicate.
- Rely on boilerplate statements that have been prepared in advance and preapproved by stakeholders.
- Focus on customers in your public messaging, and not so much on your company.
- Consider setting up a section of your website where customers, the press, and others can get up-to-date information about the cyberbreach and your company’s response to it.
- Promote a proactive message about the positive steps your company is taking in response to the breach.
A well-publicized breach isn’t an automatic sentence to financial loss and a dented reputation. With a carefully planned and implemented post-breach communication strategy, an organization can limit negative impact and quickly get back to business.
Carin Hughes is an editor of the AT&T Cybersecurity Insights report.