As the number of corporate data breaches continues to mount, boards and management teams around the world are justifiably concerned about the reputational risks from mishandling a breach. In the wake of a string of high-profile breaches across a range of sectors, from entertainment and health care to retail and government, it’s clear that a poorly-managed cyber crisis can result in high-profile resignations along with longer-lasting damage.
There are best-practice ways to prepare for a breach – and worst-practice ways to respond.
The biggest mistake companies make is to say too much, too soon, too confidently. In the days immediately following a breach, no company can fully know the scope of the incident. Providing too much detail early on is the first step down a road of repeated, and uncomfortable, corrections of your own story, which keeps the issue in the news while eroding your company’s credibility.
Target Corp., for example, initially said 40 million customer records were affected by its December 2013 breach, but a month later, it revised that figure up to 110 million. Similarly, Home Depot Corp. in September 2014 said 56 million customer credit card records were affected, and a month-and-a-half later, the total customer records affected rose to 109 million. U.S. officials said in June 2015 that a hack of the Office of Personnel Management affected 4 million current and former federal employees, and a month later said there were two breaches that affected nearly 22 million.
Focusing on your customers and their needs is the best way to navigate through the challenges of a breach. Showing all stakeholders—employees, business partners, investors, and the public—that you are managing a breach competently and confidently will help preserve your company’s reputation.
Corporate boards are increasingly asking what management is doing to prepare for breaches, even as many companies continue to punt on preparedness. At a recent computer security conference in Dallas, only a few hands—of hundreds—went up when attendees were asked if they had ever participated in a company-wide cyber security drill.
And yet the best cyber-responses reflect thorough planning and practice.
Scenario-based planning is one of the most useful actions a company can take in advance of a breach. Developing relevant and usable preparedness materials allows companies to resolve internal frictions before a crisis, address business continuity concerns, and clarify who will speak for the company. That plan can be tested with a company-wide drill or “war game.”
Because hackers often infiltrate corporate computer systems by tricking an employee into unknowingly providing access, another sensible approach is to ingrain cybersecurity into corporate culture through a sustained, internal education campaign. The goal is to both reduce the risk of cyberattacks and ensure that employees understand the importance of the role they play protecting company computer networks.
This approach can feel like advertising—and in many ways it is. Marketing techniques can often be adapted to engage and educate employees in language and format that speaks to them. Many information security officers say they now view “thinking like an advertiser” to be an increasingly important, if unfamiliar, aspect of their job.
When a data breach does unfold, what rules should leadership live by? First and foremost, focus on authenticity and customer needs. Using overly legalistic and technical language in external statements can be off-putting—especially for customers.
After the deluge ends, the best step a company can take is to immediately begin preparing for the next incident. Assess strengths and weaknesses, and incorporate them into your future response plan.
Planning should also take into account new cybersecurity threats. The latest risk: the Big Data Breach, with the theft of troves of data from healthcare companies, the Office of Personnel Management, and others.
Cybersecurity officials now warn that cyber attacks that destroy and manipulate an organization’s data are a growing threat.
We’ve already witnessed some hugely destructive attacks. A little-appreciated element of the high-profile attack on Sony Pictures Entertainment a year ago was that it took down the company’s network, making internal coordination incredibly difficult without access to phones or email.
In July, Paul McGlaughlin, Sony’s director of IT production services, offered his personal view at a technology conference, where he reflected on the difficulty of discussing the scope of the problem publicly—and communicating internally with corporate systems down. “The communications part was the most challenging of the initial problems we faced,” he said.
Now, he preaches preparation.
