Communication and data breaches: How to get it right
"Data breaches have become the leading risk to data and privacy in the last ten years, and there’s no sign of an end." States the Avast Business Threat Landscape Report for 2018, and isn’t hard to believe. Over the course of 2017 there were more than 2.6 billion instances of records and data being compromised or stolen online, but in the first half of 2018 alone, data breaches exposed over 4.5 billion records.
Clearly, this is a very real threat. But while many businesses are increasing their preventative measures, the important step of creating an incident response plan is often overlooked. While any business can hope that their cyber security is enough to keep company and client data safe, it’s important not to simply assume that this will be the case.
Creating a crisis response strategy does require time and energy, but it shouldn’t be seen as an unnecessary overhead. If a data breach happens to your business, having a planned and perfected response is the difference between a chance to increase customer trust and a complete PR catastrophe.
How not to do it
Data-breaches have made major headlines throughout the last decade, damaging everyone from the UK’s National Health Service to Target and Sony. In many cases, customers didn’t know their data had been compromised until they read about it in a newspaper or saw it announced on the news, long before the company responsible for storing their data had notified those it affected.
Target’s infamous 2013 breach, where 40 million customer payment cards were compromised, has become an example of what-not-to-do in crisis management. Target hadn’t planned what they would do in this kind of situation, and when it happened, decided that they weren’t going to publicly announce the breach. The problem was, it didn’t take long before the details had made it into national and international press.
Customers hearing about the issue through word of mouth and the media began calling customer services, only to find that the phone lines were jammed because there wasn’t a dedicated crisis line to handle the sudden influx of phone calls. Rather than reacting to their breach quickly and openly, Target created a feeling of serious mistrust by trying to hide the incident from view.
Be aware that the longer the time period between a data breach happening and a business announcing it, the larger the risk is that someone else is going to spread the word for you. According to Deloitte’s Privacy Index, a third of people who find out about a data breach from the company under attack actually trust that organization much more as a result.
While it’s wise to keep the specific details of system security flaws to an absolute minimum, public announcements should provide information about the type of data that is affected and confirm for worried customers whether or not payment or personal data is involved. They should also let people know how they can contact you for further information, and whether there is anything they should check or update as a result.
Getting crisis response right
Just as preparation can help to prevent breaches from occurring, it is also a crucial part of damage limitation if something does slip through the net. Businesses are educating their staff in device security, and increasingly investing in solid security software; so why aren’t they creating action plans for what to do in the event that a data breach does occur?
Big businesses may be just about able to take the financial hit that comes with a major data breach, but smaller operations can find their revenue and customer relationships damaged beyond repair. While 52 percent of small businesses experienced a data security breach in 2017, only 14 percent actually had incident management processes in place -- and with the number of victims rising all the time, good planning should dictate that a response strategy is put in place.
Consider the types of breach that could occur, and prepare at least a basic set of guidelines for what to do in such an event. This could be having a webpage on standby to offer information, creating statement templates for the press, customer emails and social media, and the basic task of allocating response roles so that staff know who is doing what.
For SMBs who outsource PR tasks to an external agency, crisis management should be a part of that collaborative work.
Whether you have five staff or fifty, clear communication helps to ensure that everyone knows their role and that the message you deliver is clear and consistent, leaving no room for misinterpretation.
When you’re doing your best to prevent a breach from occurring in the first place, it’s important to reflect on where the potential weak points in your security are.
For many businesses, employees are the weakest link -- whether that’s intentionally or unintentionally. Not all employers have to worry that their teams are plotting to dish out or corrupt sensitive data, but risks that need to be considered include weak password choices, falling foul of phishing emails and connecting to work networks over unsecured Wi-Fi.
It’s also important to make sure that individuals feel they can be honest about errors that have taken place which could lead to a breach, and that they can be open in the event that a breach has occurred.
If employees fear repercussions and try to hide security incidents, breaches can escalate and lead to more serious problems. Clear, quick communication helps to keep things contained and limit damage.
As well as investing in proper cyber security software that can flag spam emails, identify risky links and define strong passwords for your staff, make sure that every member of a team is educated in what poses a risk and what could happen as the result of failure to stop a breach.
Clear communication and effective staff training are a huge help if your business suffers a data breach. When paired with swift and honest updates to clients or customers, you can feel prepared from both an internal and a PR perspective and minimize the negative impact a breach could have.
Terry Hearn is a researcher and copywriter, working for a number of international cyber security brands. His professional work covers topics from consumer tech to business data protection, and outside of the office he sidelines in covering the latest sporting news.