Silence is not golden

The main objective of communicating around a cyber incident is to protect the company by protecting its reputation. This means working to preserve trust and credibility by effectively sharing information in a clear, consistent and reliable way across a series of audiences, both internal and external.

Navigating through an incident is challenging enough, but keeping this objective at the center of all your communication decisions, increases the odds that you’ll come out the other side with a customer base that’s still intact and a business that’s still viable.

If you ignore the importance of reputation management or you wall it off from the rest of your incident response planning, then the rest of your response effort can be rendered moot by the new reality of a diminished customer base. After all, what good are clean, restored networks when no one trusts you enough to continue using them?

This is a point that bears repeating on a daily basis as organizations grapple with incident response best practices. Unfortunately, recent news about the untimely death of Google+ hits that message home in a way that a well-intentioned lecture from a consultant simply can’t.

So, what exactly did Google do? The answer is pretty straightforward. Google+ wasn’t breached, but it did have a large-scale cyber incident that it chose not to disclose. When the Wall Street Journal reported that a bug had exposed the personal user data of Google+ users for several years, the most surprising news wasn’t that the glitch occurred. It was that Google hadn’t bothered to tell anyone when it discovered (and resolved) the issue back in March.

Recall that at that time, the Cambridge Analytica scandal was breaking, and we all watched as Facebook fumbled the ball on its response. According to internal Google memos, the fact that Facebook was facing such a public backlash was at least part of its justification for staying silent.

It’s safe to say that staying silent about an incident on this scale is rarely the way to win trust and loyalty from your customer base. Staying silent because you are afraid of damaging your reputation just increases the odds that when the information gets out, the damage will be even greater.

An alternative course would have had Google owning up to the error, conducting a transparent review of its policies around third-party access, and a firm recommitment to the privacy of all its users. When an incident is caused by your own negligence, you can’t erase the past by ignoring it and hoping no one will notice. They always do, and you always take a hit for not telling them first. Yes, it can be scary to admit mistakes were made, but when the dust settles, you will have strengthened your relationship with your customers by proving to them that you respect and value their interests.

People can be surprisingly forgiving if they think you are handling a situation with integrity and transparency.

The consequences of choosing to stay silent can have a ripple effect that reaches far beyond the initial scope of the incident. People start using the word “cover-up” to describe your actions. They also start questioning your credibility in other areas of your business. If you haven’t been upfront about this, then what else could you be hiding? Facing a series of uncomfortable questions about your reliability and trustworthiness in other areas of your business just extends the tail of the event and ensures you’ll be dealing with the impact even longer. Finally, governing bodies will start to notice. No one likes being kept in the dark, especially not those whose mission is to regulate cyber space. High profile questions from elected officials, law enforcement and regulatory bodies never serve to minimize the impact to your organization.

The biggest lesson here for the rest of us centers on how you communicate news of an incident – starting with your initial decision about whether or not to tell. This can be determined by a variety of factors, many of which are predetermined. In Google’s case, it appears to not have had a legal liability to notify anyone – customers or regulators – so from that perspective, they’re in the clear.

However, in your range of options, choosing not to tell anyone is rarely the best course of action. In an event of this scale, it becomes even more critical to prioritize trust. (If you’re a small/mid-sized company, trust plays an even bigger role, so even a smaller scale event could have outsized impact on you.)

Decisions about who you choose to tell and when can also be major factors in driving up the cost of an incident. Making smart decisions about who, when and how to share information relies on having quick access to good data about the different groups who may have a need to know. Conducting a comprehensive stakeholder analysis as part of your incident response planning process will produce the reference tool that guides this decision making process in an objective way, and not the subject to the emotions of fear and self-preservation, as appears to have been the case for Google.

As you develop an incident response plan tailored to your specific organization, remember that transparency matters, integrity matters, and most importantly, your customers matter. When you are faced with the decision about how to respond to a cyber event, respect them enough to tell them when something has gone wrong. Preserving their trust will go a long way in preserving your organization.