“There are only two types of companies, those who got hacked and those who will be.” – Robert Mueller, Former Director of the Federal Bureau of Investigation
Today’s cyberthreat landscape has increased in size and complexity at an alarming pace, and more and more organizations feel the pressure of protecting themselves against security incidents, such as DDoS attacks, Mirai, phishing and Ransomware. According to Verizon’s Data Breach Investigations Report 2016, “no locale, industry or organization is bulletproof when it comes to the compromise of data”.
While organizations have understood the need for effective cybersecurity protection, many are still at a loss when it comes to effective post-incident communication – a key requirement for successful incident response. We’ve gathered a few handy guidelines that will help your organization communicate effectively after a security incident.
“When a data breach happens, there is nothing worse than trying to figure out how to manage the crisis on the fly as it is still happening.” – Harvard Business Publishing, 2016
A well-defined post-breach communications plan can play a major role in minimizing the negative impact of a breach and protecting the organization’s reputation in the process. The main objective of a communications plan is to define how your organization will respond to a security incident. To ensure that your plan can be implemented easily when the time comes, make sure that you have sign-off of senior management, that the plan is updated regularly and that it is accessible to all relevant stakeholders who will be involved in managing post-crisis communications (TechTarget, 2010).
“Develop your crisis communication plan when you have time to think clearly and put forward your best, most thoughtful work.” – Maya Pattison (Barkly, 2017)
More often than not, organizations are struggling with proper communications in the wake of a major breach, not only because they are overwhelmed with the inherent risks, but also because they lack the necessary time to outline a comprehensive plan on the fly. In fact, the best time to prepare your post-breach communications plan is not tomorrow, not next week, not in two months – it is now.
Your post-breach communications plan should include the following elements at a minimum:
Each security incident should be handled by a dedicated team of qualified resources who will be able handle the entire lifecycle of post-incident communications as quickly and professionally as possible. Ideally, your crisis communications team should be cross-functional and include as many different functions as necessary. Somebody from your IT team will be essential in remediating the damage from a technology perspective, HR can assist with appropriate messaging and/or training for employees, Marketing and PR can help direct press enquiries and manage public-facing communications, Legal can clarify whether the incident has any legal implications, Senior Management can make critical decisions and be your official spokesperson etc. Regardless of how many members your crisis communications team will have, make sure that roles and responsibilities are clearly defined to avoid confusion or duplicated efforts (Continuity Central, 2017).
Unfortunately, only a small number of organizations have a dedicated pool of skilled resources who know your environment intimately and can join you in your post-incident mitigation efforts, and many struggle with recruiting and maintaining their dream team of specialized security staff. If your organization is too small to appoint a well-functioning crisis communications team, solicit the guidance (and manpower, if needed) of a third-party provider in the wake of an incident. Security service providers can offer you excellent incident response management on a 24/7 basis, and can easily guide your team on what to do when you’ve been hacked.
A myriad of stakeholders may be affected during and after a security incident, and your communication strategy should be take all relevant stakeholders into account to ensure that the appropriate information is communicated to the right people at the right time (Centre for Cyber Security Belgium, 2015). Internal stakeholders include senior management, the board of directors, business managers and employees. External stakeholders include the media, customers and partners, vendors and third-party incident response teams (TechTarget, 2010).
One of the first things to do after a security incident is to determine who you should reach out to, and what information you should share to keep them up to date. Here are a few examples of how you can tailor your communications to different stakeholders:
In today’s ever-changing IT landscape, organizations can use multiple communication channels to bring their message across effectively, depending on its purpose and on whether your security incident needs to be communicated publicly or not.
Regardless of what channels you decide to use, make sure to remain transparent, show remorse about what happened and never sugar-coat anything. Bad PR examples from industry giants such as Target have shown that inaccurate or hasty posts can be counterproductive, and can shake customer trust. Melissa Agnes, international crisis management strategist and keynote speaker, suggests clearly communicating “how this breach affects those impacted, what they should do to immediately protect themselves and where and when you will provide them with another update”.
Once you’ve determined who you will communicate with, what you will say and which communication channels you will use, make sure to respect the recommended time frames for when you will do so. The timing of your post-incident communication should be adjusted depending on who receives it and how soon he or she needs to know (Centre for Cyber Security Belgium, 2015).
In fact, communicating too early or too late can have disastrous consequences during a crisis. If you communicate too early, you may be sharing incomplete or inconsistent information and create confusion and uncertainty. If you communicate too late, you may lose stakeholder trust in your credibility and ability to handle security incidents in a timely manner.
According to the Institute for Public Relations (2014), a crisis should be seen as a valuable learning experience, and “every crisis management exercise should be carefully dissected as a learning experience”. Once the security incident has been resolved and you’ve implemented your post-breach communications plan, make sure to revisit your plan and measure your performance to prepare for future potential incidents. Gather your crisis communications team for a post-mortem discussion to evaluate how you’ve handled your internal and external communications during and after the incident. The following questions could help guide your discussions:
“Speed matters, transparency is critical, and owning the breach is important.” – Barkly, 2017
When it comes to communicating effectively after a security incident, preparation is key. A well-executed and well-prepared communications plan that is endorsed by key stakeholders, together with a dedicated crisis communications team who will manage internal and external messaging, can make all the difference. If your communications remain transparent, timely and targeted at all times, you are well on the way to mastering the art of post-breach communications.
On a final note, effective communications can not only prevent substantial customer churn or irreparable reputational damage, they can also strengthen your position. According to Deloitte’s 2016 Privacy Index, “33% of customers reported actually gaining trust in an organization after being alerted by the company about a breach”. If you see a security incident as an opportunity to strengthen customer relations rather than a threat, you may actually come out stronger after a breach.
Want to find out more about how your organization can better respond to security incidents on a 24/7 basis? Check out our case study below to learn more about the value of managed security services and incident response management for protection your organization’s data.