Who you gonna call when the crisis comes

data breach lessons

There will be times in your career when you know that you will face a crisis. These will be times when things will go horribly and irretrievably wrong. The breach news from Yahoo yesterday is a perfect example. One question that I ask folks over and over again is, “What’s your incident response plan and have you tested it?” This will usually illicit a wide variety of responses. Seldom are they 100% positive but, better than I could have hoped for in many cases.

Then I ask the question that I never get a good answer for, “What is your crisis communication plan?” This has almost uniformly been met with glazed eye balls and slack jaws. I’ve wondered why crisis communication is treated like the red-headed step child of the incident response plan.

Let’s take the example of a data breach. Your customer database has been purloined by an apparent external party and dragged across the .onion sites of the world. Your customers are going to have questions. The shareholders are going to have questions. The media is certainly going to have questions. You need to have your plan wired tight before something goes sideways. Yes, I enjoy the logic of that a little too much. Have a pre-canned response to deal with a breach that can be updated with salient details in advance in the sincere hope that it never happens.

I worked at one company years ago and we suffered a data breach. It was an old Wordpress instance that was supposedly taken offline and was no longer Internet facing. Imagine my surprise when I start getting emails from friends mentioning that the user accounts from that site were now posted. Thankfully, it was a small database and those user accounts were not found anywhere else in the environment. So, minimal damage.

The real rub came when this started showing up in the press. The initial reaction of the company was to say nothing and hope for the best. This served to cause more churn on the non-story. The facts of the case were spun out of control because the company didn’t get in front of the messaging in advance. In the absence of information people are more than happy to build their own narrative.

It is a curious human behavior that, in the event they don’t have the pertinent information that they are more than content to draw their own conclusions based on their own personal biases.

Reputational risk is something that needs to be managed like any other risk. You need to anticipate that an event like a data breach can and will happen. This is not fear uncertainty and doubt. More to the point, this is about planning for the worst and hope for the best.

You need to identify who on your team will be speaking to externals. Otherwise it vould end up being a free for all and that can unfortunately lead to the message being confused. Have a spokesperson(s) that are trained to deal with the media. Most large organizations have this sort of function in house and can go a long way to helping get the message across.

Be sure that you know who your stakeholders are and be sure that they receive crisis communications in a timely manner.

When the dust settles be sure to do a post mortem on the situation. What lessons were learned from the event and how can you improve the crisis communications going forward?

Incidents like data breaches can and do happen. The key is to be ready in the event that you are breached or something else goes awry. If you don’t manage the narrative, some assclown armchair quarterback who thinks they know better will step in for you.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)