Organizations of all sizes need to be prepared for a security breach.
Most important to the company’s reputation is how these security breaches are handled. According to a study of 2,300 businesses conducted by IBM and Ponemon Institute, the average business will spend $19.6 million to address security disruption within a two-year period — and 75% of that expense will go toward reputational damage and the bottom line.
How can an organization’s reputation be saved in the event of a security disaster? The key is having a PR strategy tailored toward dealing with security disasters.
Here are five tips for handling security disasters in an organization.
Expect the worst
According to Melanie Thomas, an expert on privacy and security-related incidents, the biggest mistake an organization can make is being unprepared for a data breach.
“People falsely assume that they’re prepared because they ran a drill four years ago,” Thomas said. “They also assume they’re insulated from a crisis like a data breach because they have a solid IT team. Worse still, they think they can figure it out at the time a crisis hits. That’s like playing roulette.”
If the security breaches experienced by Yahoo, eBay, and Target are any indication, then having a solid IT team won’t insulate a company from security breaches.
According to Thomas, security crises can take many forms. These can range from an ordinary data breach or cyber attack to a crisis due to employee error, employee sabotage, or natural disasters.
Regardless of the source of a security disaster, the first step in effectively protecting an organization’s reputation is being prepared. Anticipate all forms of security disasters and prepare a PR response plan in the event that one happens.
Be transparent but cautious in your public response
The PR response to a security breach has to be balanced. Respond too quickly, before all the facts are in, and you may cause false information to be spread. Respond too late, and you run the risk of unofficial sources weighing in and the public’s trust being lost.
According to John Mason, a cyber security and VPN expert, and founder of TheBestVPN, the best solution is being transparent without being too hurried.
“Let people know something has gone wrong, that you’re in control of the situation, and are committed to keeping them informed, and that you’ll communicate further as soon as you have all the facts,” he said.
Mason advises against delaying communication when there is a security breach.
“It’s not easy, but it will be worth it,” he added. “Delaying like Equifax did and taking six weeks to inform users after discovering the breach can quickly backfire.”
At the same time, don’t be in too much of a rush. When keeping people informed, only disclose the facts the organization has confirmed.
During Target’s security breach, the brand disclosed information that underestimated the number of users affected, then failed to take responsibility, and later revealed that more people had been affected than was initially stated. This sent a message that the company wasn’t prepared for the situation and was ill-fitted to address it. Target paid dearly for this misstep: Its stock tumbled, its CEO was fired, and it became the victim of a class-action lawsuit.
Control the narrative
It’s not easy being CEO when you find out that 145 million user accounts have been compromised. Providing information to stakeholders and the public in situations like that can be difficult, but it is necessary. More important, the brand must ensure it is the primary — and only official — source of communication in the aftermath of a security disaster.
Here are some tips to controlling the narrative:
- Make sure the brand is the first to inform the affected parties and the public about the security disaster. If word first gets out through unaffiliated sources, then people are less likely to trust what comes from the company. If the brand communicates first, though, it retains power as the official source.
- Be specific about the scope of the hack and what the company knows. Don’t try to make claims that cannot be validated just to try to allay fears. If these claims are proven false, trust in the brand will diminish.
- Don’t worry about the company’s financial position. Life happens, and very few organizations can go through a security disaster unscathed. The major concern is to limit the impact of the disaster and ensure a quick recovery. Communication missteps made while trying to save a company’s financial situation could prove even more costly down the line.
Create dedicated channels for disseminating information
Depending on the organization’s size, a security disaster will likely cause your staff to be overloaded with external requests (users, media, etc.), and you need to be prepared for this additional workload. Doing this will show your commitment to addressing the disaster and reducing the chances of the brand being misrepresented.
Some ways to do this are:
- Create separate social channels aimed at providing sensitive information and answering user requests related to the security disaster
- Make relevant information related to the security disaster immediately available on these channels
- Be timely when it comes to addressing inquiries related to the security disaster. Taking too long to respond only makes things worse.
- If possible, ensure the bad news is released quickly; letting it drag on will only make the problem appear bigger than it really is.
Put an executive face on the front lines
When there is a major security disaster, people want to see a face explaining the nature of the incident as well as the measures taken to address it.
Two points to keep in mind:
- Having conflicting information released internally will aggravate the situation. If possible, have just one or two people discuss the disaster, to ensure what is being released is consistent.
- Having a senior-level executive, such as the CEO, respond to the breach will give the appearance that the brand is serious and committed to the situation. However, it is important that the person who handles this communication is well informed and appears in control.
There is no hiding from a security disaster. But it’s the way the situation is handled that can allay the public’s fears and show the brand is in control.