[BreachExchange] You're Going to Be Hacked. Here's How to Tell Everyone Without Destroying Your Company

[Destry Winant]

https://www.inc.com/sam-jefferies/youre-going-to-be-hacked-heres-how-to-tell-everyone-without-destroying-your-comp.html?cid=hmsub3

Cyber-insecurity is a fact of life now, for businesses of all sizes.
This month's global ransomware attack was a harsh reminder that
hacking, cybersecurity improvements and phishing emails are all just
part of the new arms race between companies and would-be cyber
bandits.

The WannaCry virus infected more than 300,000 computers around the
world. Experts have estimated the costs to run at least $4 billion as
expenses related to "lost productivity and the cost of conducting
forensic investigations and restoration of data" mount. This doesn't
take into account the added financial burden of purchasing new
software to fight against the latest threats.

For startups and other small businesses, the risks are even greater.
Sensitive information, leaked and published out of context, can
jeopardize funding, drive away your customer base, and send employees
running to update their LinkedIn profiles.

According to SmallBiz Trends, 43 percent of cyber attacks target small
businesses, and 60 percent of these companies go out of business
within six months of a breach. The risks are real and the costs are
very, very high.

What can be done?

Step one is to assess the damage. Knowing what sensitive data was
breached will help you assess your response options.

Step two is less straightforward -- communicating the attack (and your
response) to the world in a timely fashion to contain the fallout.
Your response to the press is important. However, the people you work
with and depend on don't want to first read your quotes, however
pithy, in their newsfeed.

Direct and succinct communication to your key constituencies is
crucial. Assess who needs to know exactly what you're doing, before,
during, and after you do it.

Where do investors lie in your hierarchy? Employees or other
coworkers, board members, customers? Not everyone in your network is
created equal, and your communications need to be sent according to
relevance to your businesses survival.

Do you have a company intranet, or a database of emails for key
partners? Whatever your communications vehicle, it will need to be
used to discreetly let people know exactly what is being done to
safeguard their interests now and in the future.

Handling the media

Of course, the press may come calling too; you'll need to be ready for
media inquiries. And as much as a call from the New York Times or the
Washington Post can strike fear into your heart, businesses tend to
live and die more often by the tone and focus of coverage in their
industry trade publications and among influential bloggers and social
media critics.

For example, if you're a biotech company, you should already be paying
attention to Adam Feurstein. He's a blogger turned columnist at The
Street (he's moving to STAT in June) and has been called "the most
feared man in biotech" for his "itchy trigger finger" on social media.
He has 64,000 of exactly the right kind of followers who care about
the sensitive information of companies in crisis.

Communicating your actions and the context of any leaked information
to writers like him should be strongly considered as a media-response
priority for any biotech company facing this type of fallout. The same
is true for other industries and their respective media outlets.

If the FBI or CIA declare publicly that the hack originated from
foreign actors, count yourself lucky, at least from a crisis
communications perspective. This can be shared with appropriate
audiences and buy you some more time to put your house in order and
get back to business.

If not, survival is still an option. It's just not a guarantee, and
who you tell, how you tell them, and what you say all matter more than
you may know.