|
|
Nearly half of all Americans had their data exposed through cybersecurity breaches in 2014, according to the Ponemon Institute.
Breaches come in many forms, from hacktivist groups who are motivated by political or social purposes; to state-sponsored entities that are well-funded, highly sophisticated and whose aim is usually corporate espionage, or in some cases, seeking control over critical U.S. infrastructure; to organized crime rings that seek data for financial gain; to an organization’s own employees. In fact, according to a recent Experian study, 59% of cybersecurity breaches in 2014 were caused by employees (either accidentally or maliciously).
Even a limited breach can cost a company millions in lost revenue, profit and reputation.
|
|
Prepare for it
This is not just an IT problem. Preparing for and managing a cybersecurity incident needs an intra-disciplinary approach. The first step is the creation of a crisis management team comprising senior members from legal, PR, HR, operations, security and IT (and perhaps other relevant departments depending on the organization).
This group should be formed during “peace time” so that it can establish roles and protocols well before any threat arises. Waiting until a crisis strikes will only result in more chaos and confusion over responsibilities and the loss of valuable time needed to assess what occurred and how to remedy the situation. During an actual cybersecurity incident, the crisis management team will serve as the liaison to senior management and other key stakeholders to ensure that the company can maintain business as usual while this smaller team focuses on the problem at hand.
In addition, the crisis management team needs a communications playbook that covers cybersecurity incidents along with other traditional potential crises. This plan must be short to be effective; in fact meticulously trying to map out a blueprint for managing an anticipated incident can be counterproductive because events rarely unfold the way we expect them to. To be effective, the plan must focus on guiding principles and goals to help the organization best communicate during times of crisis. By having this work done in advance, the crisis team, and the broader organization, is better able to maintain an orderly process throughout a crisis.
Once the playbook has been drafted, it is important to practice it. The team should hold a cybersecurity crisis drill to rehearse its roles, think through key messages and stress test the plan to see if there are any steps or items that might need to be added or rethought. The best drills include as many life-like elements as possible, including mock social media chatter, reporter and public official inquiries and angry customer comments.
Get help
Should a cybersecurity breach occur, bring in expert outside counsel. Companies should engage outside legal counsel and forensic investigators within 24 hours of an incident to perform the internal investigation. This will demonstrate that the company is taking the matter seriously. Even the largest of organizations often lack the specific expertise and resources needed to carry out the number of activities that need to be taken when a breach occurs.
Cybersecurity incidents, especially if personal or financial information has been exposed, can also open up a company to potential litigation and regulatory investigations. Bringing in outside help quickly can preserve evidence and will demonstrate to regulators, policy makers, customers, the board, shareholders and other stakeholders that the company is taking the appropriate steps to contain and manage the breach.
Some of the first questions that the crisis team and outside experts will want to ask are:
•What has been compromised?
•How many people may have been affected? What states/countries do they live in? (Notification laws vary by geographies.)
•How was that data stored?
•Has the hole that the hackers discovered been closed? Are there other ways they could get in?
•How can we contact those affected?
•Has law enforcement been notified?
•If the suspects are employees or ex-employees, what information do we have about them? Were background checks done?
•Going forward, what changes will be made to secure data or change procedures?
Communications considerations
During the early hours of a cyber crisis, you will not have all the facts. Until the investigation is complete, it is unwise to provide estimates or speculate on the breach’s origination and extent of potential damage caused. If the breach is especially large, high-profile rumors may already be circulating on social media (and in many cases the stories may be started by the hackers themselves, especially if the breach was caused by hacktivists). If the information you provided publicly before fully confirming the size and scope turns out to be wrong, it will undermine your credibility and make it appear that you do not have control of the situation. What you should communicate is that the organization is taking the matter seriously and will take care of those affected by the incident. Those individuals who may be affected are your chief concern.
Additional steps include:
The legal and PR teams will work together to craft all messaging for the incident, as well as potential customer letters informing them of the breach. Communications materials should include language that can be used both internally and externally and versions appropriate for social media (should the need arise).
Arm your front-line employees (receptionists, customer service, etc.) with talking points about the incident. Ensure that they do not “go off script” or speculate.
Initiate media, social media monitoring
While avoiding a cyber-attack altogether may not be realistic, being prepared to handle it is. In a 24/7 digital age, organizations no longer have the luxury of waiting to figure it out on the fly. Any misstep will be amplified instantly. Demonstrating leadership and control of the situation will help an organization through the crisis. By taking the time to do the prep work, organizations can better withstand a cybersecurity crisis with their reputation and business intact.
* * *
Heather Wilson is Managing Director at The Abernathy MacGregor Group.
There’s a fine line between newsjacking and taking advantage, aka ambulance chasing. Our job as PR professionals is to tread it carefully.
PR firms need to be mindful of ways their work product may be protected by the attorney-client privilege whenever working with a client’s internal legal team or its external legal counsel.
Manuel Rocha, former US ambassador and intenational business advisor to LLYC, plans to plead guilty to charges that he was a secret agent for Cuba.
CEO mentoring is an often-overlooked aspect of why CEOs are able to make good decisions, and sometimes make bad ones—all of which intersects with the role and duties of a board. 
How organizations can anticipate, prepare and respond to crises in an increasingly complex world where a convergent landscape of global challenges, threats and risks seem to arrive at an unrelenting pace.
Have a comment? Send it to 
No comments have been submitted for this story yet.