We've all seen the sobering stats: Nearly 500 major data breaches have been reported in the United States since the beginning of 2009, impacting more than 220 million records. And that doesn't even account for the many breaches that weren't publicly reported.
So chances are that your company will be hit by a breach, if it hasn't already. In fact, some would say it is almost as inevitable as the finger of blame being pointed squarely at you, the company's senior security professional and chief scapegoat, when a breach strikes.
Fortunately, most CISOs acknowledge this and invest in security technology to help them achieve some degree of protection and early alerts in the case of a breach. However, that is just one part of the breach preparation process. Equally important is having a strategy in place for how your company is going to handle the communications associated with a breach – with the media, your employees, affected customers, shareholders, etc.
Think about it: Presumably you've worked hard to create a brand that engenders trust, so when a crisis such as a data breach befalls your company, it is crucial that you take an active role in mitigating the damage to your most valuable asset – your brand's reputation.
In fact, faced with the dizzying frequency of breaches, many customers are no longer moving away from affected vendors immediately upon hearing about a breach, but instead they're waiting to see how the breached company handles the situation before deciding whether to switch. And if you look at the recent Ponemon Institute study, breaches translate into a cost of $204 per compromised record, with $135 of that comprised of costs associated with lost business. So clearly it is in your company's best financial interest to do what you can to put customers' minds at ease by taking external communications just as seriously as the technology you've invested in to prevent a breach.
If you're still questioning the importance of effective breach communications, consider the reality of living in a 24-hour news cycle these days. Bad news travels fast, and with the emergence of social media, the chances of keeping a lid on such news are pretty slim. An employee's blog or tweet, or an overheard conversation at the grocery store, could let the cat out of the bag, unwittingly or not. And the more time that lapses while you're scrambling to determine how to communicate the breach, the greater the risk that news of your breach will be broken in terms you can't control, with serious implications for your brand and your ability to remain competitive.
For you, Mr./Ms. CISO, taking an active role in breach communications preparation also becomes an act of self-preservation. Over the years, we've seen the CISO become a fixture in boardrooms and assume responsibility for far more than the bits and bytes. At the end of the day, your job is as much about protecting your company's reputation as it is about protecting its data. The downside to all that influence, responsibility and additional budget is that when a breach hits, the target on your back is visible from space.
Convinced yet?A Brief Guide to Breach Planning
As with anything, planning and preparation is the most important part of breach communications. The work you do up front ensures that when the time comes you'll be able to swiftly react to restore customer confidence and emerge with limited damage to your brand.
Here are three essential steps you should consider when preparing for a data breach:
1. Develop a Crisis Communications Plan
If you want to shore up your breach communications, the first and most critical element is the development of a good crisis communications plan. This is a physical document that contains a series of options to guide your company's response in the event of any disruption to its business continuity. You can think of this as a blueprint for how to deal with any sort of curveball thrown your way, meaning its creation has to be done thoughtfully and in anticipation of all sorts of breach scenarios.
Though typically led by internal or external marketing/PR experts, the plan is worthless unless it is developed jointly with your company's key stakeholders and everyone is bought into it.
One quick note: Though crisis communications is a component of your overall business continuity management initiatives, don't get caught in the trap of assuming that your business continuity/disaster recovery plan already covers communications.
2. Crisis Team, Unite!
Every company is different, but what remains constant is that crisis planning requires active participation from the most senior members of the company, as well as those whose departments may be impacted. At a typical organization, the CEO, CSO, PR lead, legal counsel, DR/BC leads and heads of HR and IT comprise a crisis team.
As you begin developing the crisis plan, you need to clearly designate roles and responsibilities to each member for each crisis scenario that may arise. You also need to assign a team lead, often a communications officer, but sometimes the CISO, to manage the process and ensure that everyone is adhering to their predetermined roles.
This also means gathering plenty of contact information so you can reach the team at all hours and during vacations, just on the off chance that a hacker isn't considerate enough to launch an attack between 9-5.
3. Practice Makes Perfect
Let's say you've gotten your plan together, your crisis management team is at the ready, and you're feeling good about your level of preparedness. Then a year, maybe two, goes by without incident until “BAM,” you get breached. If you have to dig out your crisis plan from the storage closet and blow off an inch of dust to figure out what to do, you can be assured that your level of preparedness is not quite what it should be.
The key is to keep the plan, and your skills, current. Conduct breach simulation exercises on a regular basis – at least twice a year - even if it's simply adding communications to your DR table-tops. Simulate different breach scenarios and conduct mock interviews to strengthen your spokespeople's media skills.
As for the plan, it should be revisited quarterly, and any new threat scenarios or potential vulnerabilities added in. An outdated plan is better than no plan, but not by much.
Eight Steps to Surviving a Breach
Ok, it finally happened to you. You've been breached, so now it's time to begin executing on that crisis plan you've worked on and updated ever so diligently. Here's what the typical steps would look like and the questions you need to answer:
1. Gather the Crisis Management Team
Get everyone physically together to start breaking down what happened and to begin to forge ahead. Don't make the mistake of trying to compartmentalize it.
2. Initial Crisis Analysis
Assess the facts and implications, including asking questions about the scope of the breach, who was involved, when it happened, how/when it was revealed, what has been done to address the breach and who is aware of the situation.
3. Compare Agendas
Begin to understand which audiences are affected and have to be informed, and what their respective agendas are. In other words, what will they be feeling and what are their needs? From there, clarify your agenda, starting with determining whether the breach is your fault or someone else's, such as a supplier or service provider. Then begin getting your arms around the best and worst possible consequences, trace the timeline of the breach and your company's reaction, identify who needs to be consulted and what codes of conduct are involved.
4. Assign and Execute Holding Actions
While the details of what happened are being sorted, in some scenarios it is prudent to communicate that you are aware of the situation and to assure relevant parties – beginning with your internal staff – that you are addressing it. This is a delicate matter requiring legal consultation, and once you decide to begin getting the word out via a “holding statement,” you need to know that you can't put the genie back in the bottle. But at this point, the first step is to appoint a spokesperson to whom the holding statement will be attributed, then develop the statement and begin notifying internal audiences of the breach in a transparent manner that empowers staff to ask questions and feel completely informed.
5. Advanced Crisis Analysis
A more detailed investigation than the initial crisis analysis, this step will have been ongoing and should yield a better understanding of what you're up against, thereby informing the incident-specific plan.
6. Buy-in on Incident-specific Action Plan
With the general crisis plan as a foundation, a specific action plan will need to be generated, taking into consideration the details of this particular incident. Ideally it will map closely to a scenario you've anticipated in the crisis plan, but there will always be nuances that aren't accounted for.
7. Implement Plan
Now you can execute your plan and begin the road to recovery.8. Monitor and Evaluate
Track for any and all feedback, reporting and analysis of the breach and your company. Your communications activity should be an ongoing loop of dialogue with all stakeholders, so it is crucial that you know how the breach communications efforts are being received and adjust activities accordingly.
If your company follows the above steps, you'll be well positioned to minimize the potential damage of a data breach.
Of course, this is just the tip of the iceberg. You'll notice we didn't get into notification letters, the legal aspects of breach communications, or any number of areas that would be articles in their own right. But hopefully this gives you a flavor for the value and importance of effective breach communications, the need to prepare for the inevitable, and some food for thought about how to handle if/when it happens to you.
Steve Collins leads the security practice at Text 100 Public Relations, a global boutique PR consultancy committed to managing the reputations of leading brands around the world. He can be reached at [email protected].