[BreachExchange] Your Company Needs a Communications Plan for Data Breaches

Mon Oct 10 18:54:17 EDT 2016

https://hbr.org/2016/10/your-company-needs-a-communications-plan-for-data-
breaches

In an instant, any business can find itself in the frightening position of
watching the brand you’ve worked so hard to build being taken to its knees
by a cyber breach. Few things are more damaging to a brand’s reputation
than a hack in the headlines, and in the event of a public security
incident, it’s highly likely that the Chief Marketing Officer (CMO) and the
Chief Security Officer (CSO) will be the first people the CEO looks to and
says “What do we do now?”

When a data breach happens, there is nothing worse than trying to figure
out how to manage the crisis on the fly as it is still happening. That’s
why every strategic marketing plan, and every company’s overall security
strategy, should incorporate a data breach communication plan.

Even a rumor of a breach can trigger a communications crisis. Here’s a
generalized scenario similar to cases we’ve experienced: A hot new mobile
technology company lands one of the most successful IPOs of the year. A
hacker going by the name of ‘Tumbleweed’ enters a forum and brags that the
device can be hacked. Other hackers begin to post on different forums, and
a newspaper picks it up. A news cycle begins. Senior engineers in the
company respond to the forums by denying the hacking claims. Hacker forums
go crazy and issue a “bug bounty” to try to compromise the device, with
some claiming success. The mainstream media is not aware of the technical
details and only picks up on the claims of a successful hack. The company’s
legal team advises executives to take a tight-lipped approach, and as a
result, no proactive communication steps are taken. Customer service gets
flooded with calls, the stock plummets and sales stall just before the
holidays. Investors take legal action.

According to a recent Ponemon Institute study, data breaches are among the
top three types of incidents that affect brand reputation, and consumers
often expect compensation after a security compromise.

The good news is that there’s much that can be done ahead of time to
prepare for a data breach to get everyone on the same page. It can’t be
stressed enough how much time this will save later in trying to determine
how to respond.

First, decide who in the organization is best suited to handle the crisis
and form a crisis communication team (as a subset of your breach response
team). Outline their roles and identify the decisions around messaging and
communication that they can make in real time.

Next, with your security team, take inventory of your data assets and
potential risks, and conduct an impact assessment. This should also include
knowing what kind of attacks make you most vulnerable, anticipating
potential goals of an attack and running simulations as a working group. To
do this, you should have a business-driven view of how security tactics are
tied to the way your business manages risk. For example, your IT security
team or security operation center’s (SOC) early monitoring and detection
functions should be aligned (through its people, processes and technology)
to the business’s most critical assets (“crown jewels”). In the event of a
potential data breach, the team should be able to quickly provide early and
on-going status communication to the CMO and CSO to formulate the best
response actions based on the overall breach communication plan.

Then, determine and document exactly what you are legally obligated to
disclose, and assess brand impact based on both legal implications and
public opinion optics before deciding on a proactive and/or reactive
communication approach. Publicly traded versus private corporations may
have much different notification, reporting and regulatory requirements and
— depending on the specific industry — the clock can start to tick much
sooner than you might think.

In the aerospace and defense industries, for example, where there may be
time sensitive/classified national security matters, getting out ahead to
communicate and collaborate with your customers, government, defense
industrial base (DIB) partners and law enforcement counterparts puts you in
the driver’s seat, and allows you to anticipate and gain greater visibility
into areas you may need to react to in your future communication actions.

Next, be sure that you know who your biggest advocates are when it comes to
your customer base, partners, investors, and media pundits, as the tide of
public opinion can turn very quickly during a cybersecurity crisis. Make
sure you have relationships established with top broadcast, print, social,
and security experts, as well as market influencers. Work closely with your
external public relations (PR) and media partners and identify specialists
in crisis management and communication who can be an extension of your
internal team so that when a data breach happens, they will be at the table
with you. This may mean investing in relationships that are outside of your
primary communications plan, such as security bloggers who regularly
comment on prominent breaches or third tier media with a tendency to
sensationalize such topics.

Know which people in your organization are best suited to be spokespeople
for which audiences and make sure that they are trained. The general rule
is that one size does not fit all, so make certain you have spokespeople
who are qualified experts in each of the technical and functional areas of
your business. Your head of engineering might be best equipped to post a
response on a developer site or field customer product concerns, while
senior counsel, a risk officer, a customer service executive, or your CSO
or CMO might be the best person to speak to the media. Consider factors
such as who has the best communication skills, prior experience with the
media, authority in the company, and relationships with stakeholders.
Remember, those you identify for this strategic task may not be your
current go-to spokespeople, so make certain they are trained and refreshed
on a periodic basis.

Next, determine which messages you will reveal when, from your first
disclosure through to the final investigation. A breach unfolds over hours,
days, weeks and months as more facts are made available. You may not be
able to wait to disclose information or respond until all the facts are
known, so discuss with your executive team what the boundary conditions
would be for disclosure for each stage. Consider what to say about the
proactive steps you are taking based on the nature of the incident and what
customers or those affected need to do and how you intend to help them.

You’ll need to manage your brand’s social contract during and after the
fact, because your brand reputation will be decided with or without you.
Depending on the goals of your business and your brand values, it may be in
your best interest to advocate with your employees, top influential
customers, industry analysts, journalists, broadcast networks, investors,
and partners — and when/if appropriate, local and federal law enforcement
and government agencies to help shape better protections and consumer and
industry awareness. There is merit in at least considering advocating from
the other side of a breach, as it’s difficult to objectively explore this
as an option in the heat of a crisis. Knowing this up front will dictate
how you handle disclosures while an incident is happening, and may guide
further messaging.

As time passes, communicate what was learned and what was done to improve
security as a result. Make sure employees and major stakeholder audiences
are provided messaging after the fact repeatedly. History has a way of
being rewritten. Remember, you can help control how the final chapter is
written — as long as you write one.

Finally, don’t forget to dust off and revisit your plan often. Hackers are
constantly trying to stay one step ahead of you. So, keep running
simulations. Keep spokespeople fresh. Keep your communications plan
up-to-date and at your fingertips. Your brand and your company’s livelihood
depend upon it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161010/c193ae4d/attachment.html>