[BreachExchange] Damage Control: 11 Steps To Take If Your Company Has Been Breached

Destry Winant destry at riskbasedsecurity.com
Tue May 8 19:42:09 EDT 2018


Facebook has faced public backlash after the recently exposed
Cambridge Analytica scandal. Although the social networking giant
didn't know its customer data would be misused at the time of
collection, many still feel Facebook should have done a better job of
preventing an incident like this from happening in the first place.

These conversations surrounding data privacy and protection serve as a
reminder to all brands that security and third-party vendor vetting
should be a top priority. However, even with the best intentions, data
breaches can still happen, and when they do, your business needs to be
prepared to do some damage control.

Members of Forbes Communications Council recommend taking these first
steps if your company discovers a data breach.

1. Do an audit and inform those affected.

Data breaches happen. The first step you want to take is conducting a
top-to-bottom data audit to identify what's been affected by the
breach. From there, keep your user base up to date. Taking
responsibility for the breach and owning up goes a long way for
retention. - Michael Lazar, ReadyCloud

2. Develop an immediate public response strategy, even if it's limited.

Before releasing any communication to the public, develop a strategy,
ideally in less than 24 hours. While an apology is a necessary step,
it's not the first; you have to know what you want to say and what you
are going to do immediately following your initial statement. This
approach involves identifying the right spokesperson and creating a
means for monitoring the public's response beforehand. - Amber Micala
Arnold, MWWPR

3. Respond as quickly as possible.

Facebook's biggest problem in responding to the Cambridge Analytica
scandal serves as a cautionary tale. Instead of coming forward about
the problem quickly, Facebook stonewalled and tried to intimidate
journalists. According to our research, 60% of Americans want
companies to respond to a crisis within 24 hours. It's like ripping
off a Band-Aid: The faster you do it, the less it hurts. - Curtis
Sparrer, Bospar

4. Provide deadlines for further information after the initial announcement.

Facebook is an honest company and it isn't sugarcoating the data
breach that happened, but sometimes it is too little too late. Release
the information about the breach right away. Don't wait for a plan to
be developed before the news is released -- provide deadlines to the
users on when you will release a plan of action and follow through. -
Anshu Agarwal, Cedexis

5. Communicate clearly and effectively to internal and external stakeholders.

Fortunately, we’ve never experienced a customer data leak and hope it
never happens. But in the case of any data breach, the first step is
to maintain effective communication, both internal and external.
Outline the entire situation for your team and explain to customers
precisely what happened. Be sincere and provide as many details as
needed. - Pawel Kijko, TimeCamp

6. Take control of the narrative.

Be a step ahead of the press and competitors looking to leverage your
misfortune. Take control of the narrative and be transparent in
admitting the mistakes that led to the breach. Highlight what you're
doing to prevent future incidents and do everything possible to assure
your customers that you have their backs. This will allow you to
mitigate any damage to your brand and accelerate recovery time. - Xuan
Liao, LisbonTech

7. Make sure your CEO is press ready.

Proactively inform press of the data breach before news headlines
break, being selective about who you choose to share this information
with. Based on the severity of the breach, be sure your CEO is
prepared to speak to the press. Zuckerberg’s early reluctance to speak
with media and lawmakers, instead sending middlemen to do the dirty
work, helped put him in the position he finds himself in today. -
Monica McCafferty, MCM Strategies LLC

8. Be honest and avoid getting defensive.

A common thread amongst companies that came out of data breaches
relatively unscathed is honesty. This means working quickly internally
to identify the full scope of the breach and then communicating that
as simply as possible while staying honest. The second a CEO goes on
the defensive or tries to cover up any aspect of a data breach is when
users and customers start to flee. - Elisa Richardson, Eddie

9. Take responsibility.

When facing a data breach, a company should devise a statement taking
responsibility for its actions. Taking responsibility will maintain
credibility. People can forgive mistakes faster than silence. When a
company is vague or slow to tell their story, the audience will fill
in the blanks and write their own stories. Control your message. -
Levitica "Lee" Watts, Smith, Gambrell & Russell, LLP

10. Show your customers they are your first priority.

Recognizing the data breach and addressing that the company's utmost
priorities will be to combat, secure and protect the customers'
information, regardless of who they are, will show that the company's
dedication is to the customer. Regardless of any financial or
reputational outcome the company might face after, the customers are
always first. - David Isern, Texas Tech University College of
Architecture (TTU CoA)

11. Draft a crisis and reputation management plan for next time.

If you don't have one already, draft and implement a crisis and
reputation management plan for your company. This document will
outline specific measures to take if and when a data breach (or other
negative situation) occurs. It should include key spokespeople,
talking points, tough questions and suggested answers, etc. Be
proactive now so you are prepared for a potentially harmful moment
later. - Glenn Gray, Buffalo Agency

More information about the BreachExchange mailing list