[BreachExchange] When A Data Breach Can Be A Benefit To Your Brand
Destry Winant
destry at riskbasedsecurity.com
Wed Jul 12 01:14:53 EDT 2017
https://www.forbes.com/sites/forbestechcouncil/2017/07/11/when-a-data-breach-can-be-a-benefit-to-your-brand/#1958bfa4e6e8
Can a data breach help your brand? It seems like a provocative thought
as we have seen too many companies’ reputations tarnished by a breach.
In reality, no two breaches tell the same story, and how a company
reacts and responds to a breach is what will be remembered.
By now, we have all grown used to hearing that it is not if, but when
an organization will be breached. As individuals, we have grown
accustomed to this sort of breaking news, and we probably have all
been personally impacted by one. For an enterprise, however, one of
the critical things after a breach is not only how quickly it can
mitigate it, but how well it communicates the damaging news to
customers and the public. A data breach may not sink a brand, but a
response to a data breach may well do that.
The stigma associated with a breach is not nearly as strong as it was
four or five years ago. Most of the data breaches that make and stay
in the headlines are the ones where the company's response was
questioned and its communication criticized. Yahoo! took a lot of heat
after its series of breaches, mostly in terms of how lax it was in its
approach to cybersecurity. A password reset was not made mandatory,
and communication was vague and tardy.
It is human nature to not want to spread bad news. In the case of a
breach, it is also challenging to communicate what happened simply
because the company itself may not yet know what happened. The
impacted organization needs to investigate when the breach started,
how it happened and, more importantly, what data was stolen or
compromised and whether that data is of sensitive nature, such as
personal identifiers, credit card information, health records or even
tax records. In many cases, companies learn about being breached
through a third party alerting them that some of their data is for
sale on the Dark Web. Sometimes these third-party investigators
publish the news with little notice for the company to react. And in
some cases, companies will wait to alert their customers after being
notified.
This may not feel like fair game. So how on earth can a data breach
help a brand?
The (Positive) Brand Impact Of A Data Breach
With data breaches being so common today, organizations should start
looking at them as an opportunity to interact closely with customers.
Transparency is critical to turning what can be a very negative impact
on the brand into a positive one. Even if the breached organization
doesn’t have all of the details at its fingertips to answer the who,
what, when, where and why of a breach, openly and swiftly
acknowledging that a breach has occurred will go a long way in keeping
consumer trust intact. It can keep that transparency going by sharing
regular updates on the forensics investigation itself and on the steps
being taken to ensure a breach will not happen again.
When it comes to a data breach, it is not just about communication; it
is about culture and commitment to customers. Companies that clearly
put their customers first will always come back with a stronger
reputation. Home Depotis a good example of this: It was extremely
proactive in its response, alerting customers even before they had a
chance to fully confirm the breach.
You’ve Been Breached — Now What?
There are many steps to take to mitigate and shut down a breach once
it’s happened, and every organization should have a response plan in
place. They should also all have a crisis communication plan, which
ensures that while one team works on the forensics and mitigation
aspect of the breach, the other team is busy communicating the details
of the breach to its core constituencies. Above all, the communication
to customers and to the public should come from the executive team as
this will signal just how seriously the breach is being considered.
Five Rules To Follow In Data Breach Communications
To get ahead of the next data breach you may face as an enterprise,
here are five communications rules to bear in mind:
Have a communications plan in place in the event of a data breach.
Within that plan, it’s important that you include various scenarios
based on whether you know the extent of the breach, what information
was breached and the timeline for when the breach most likely
occurred. A communication timeline should be established based on the
findings, with regular updates shared with various stakeholders.
Prioritize your customers and communicate with them first. Customers
are the ones who will ultimately help you preserve the reputation of
your brand. Recognizing a leak early is always better than waiting for
your customers to see it first in the news. This is the fastest way to
keep and maintain consumer trust.
Involve senior leadership in your communications strategy. Having the
message come from the top executives is crucial to showing customers
how seriously you take the security incident. Having the whole company
aligned behind one message will only strengthen the impact your
response has on customers.
Be transparent. Outline the steps your company is taking to mitigate
the breach and keep the lines of communication open, providing regular
updates online (in a blog post, for example) where customers can
easily find more information about the breach.
Communicate, communicate, communicate. The more you openly discuss the
topic, the more in control of the situation you will be perceived.
Continue communicating well after the news headlines are publicized to
show that your commitment to protecting your customers' data is real
and constitutes a significant investment.
While no company is safe from attack today, all companies can be
proactive in how they plan for the inevitable. In doing so,
organizations can actually turn a very damaging event into a
brand-reinforcing event, fostering customer loyalty for the long-haul
if handled properly. Brand trust must be protected — this is so
important because once consumer trust is lost, it’s almost impossible
to get it back.
More information about the BreachExchange
mailing list