When companies suffer a data breach, it can be devastating to several parts of the business. And consumers are beginning to have more impact. IDC revealed that 80 percent of consumers will abandon a business if their personal data has been compromised.
The first reaction of managers and leaders is usually to turn to IT and security teams to fix the problem and counteract the damage that was done, however, this is often shortsighted. As cyberattacks and data breaches continue to increase, there are other parts of the organization that can offer help in mitigating the consequences after applications or networks have been compromised. Below, we outline how organizations can regain consumer trust after being hit by a cyberattack.
Notifying the Customers
In an ideal world, organizations would be able to get the message of a data breach out to their customers before they read it on the news. However, with the 24/7 news cycle and cyberattacks making headlines every day, this may not happen. If your customers have already heard the news, they may be feeling vulnerable and panicked, not to mention, angry. After all, they trusted your company with their information, and it became exposed.
Your organization should do its best to ensure that you are the ones to make the information public first. When sending an email notification or even a breach notification letter, remember to keep a calm and level tone, but also be apologetic and helpful. Put yourself in your customers’ shoes. Have some empathy. What information would you want to know during and after a cyberattack?
It's important to be transparent. It’s transparency that builds trust. This means providing the full narrative of what happened by answering the following:
Who is at risk of being compromised from the breach? Was it users of a specific application or website?
What information was stolen? Was it usernames, passwords, financial information? It’s important to specify.
If the organization has multiple websites, applications or locations, where was the information stolen? Was it taken from the cloud, or an on-premise data center?
Why did the breach happen? Specify what exactly caused the authorized access to customer data. If you are still investigating the root cause, it’s important to tell that to your customers. These situations are often times complex, and being transparent, while educating your customers is an important first step in assuaging their concerns, as well as regaining their trust.
How should consumers move forward to best protect themselves, and how is the company going to fix the problem? Take full responsibility for what happened, and reiterate that your organization will do whatever is necessary to prevent these incidents in the future.
During the time of the notification, personalization is not recommended. Using personalized content to the specific customer can indicate that your company does not take privacy seriously. In these materials, it is recommended to not use first name personalization.
Keeping Consumers Informed of Progress
The breach notification to your customers is only the beginning of gaining trust in your brand back. As the data breach investigation moves forward, it is important to continue to relay any information that is relevant to your customers. Sending a follow-up email or letter can act as a reassurance to your customers that you’re thinking of how you can better protect them. It needs to be consistent, not random. This will make your customers feel like they are simply an afterthought, rather than a priority. Marketing and communications departments can also work with dedicated members of a customer service team to give the latest information on the breach. In addition, there should be a section of your website that consumers can go to find information, and how to contact customer service with any issues.
Producing Ongoing Educational Content on Best “Cyber Practices”
Following a data breach, consumers can be lost on how to move forward. Even after all of the details are explained to them and they are informed on developments of the investigation, they may be wondering how they can protect themselves from any cyberattack of any organization in the future. By producing educational content on how they can avoid becoming a victim of a data breach, they will begin to turn to your organization as a trusted advisor again.
It is important for your organization to produce content that will be helpful to consumers when the breach happens. Also keep in mind that everyone consumes content differently, so having multiple different ways to get the information to them is crucial. Pieces of content could include a blog post with information for agencies that can help in the event a user or customer might be vulnerable to identity theft and steps they can take to reduce that risk. Other examples include email campaigns, or videos from executives with cybersecurity tips including best password practices and how to avoid falling victim to phishing attacks.
Keep in mind - the content must be written in a way where you are not blaming them for the breach, but rather helping them ensure their information is not compromised further in the future.
Preventing Breaches from Happening
At the end of the day, the best way to regain consumer trust following a cyberattack is to ensure the public that you will do everything in your power to prevent it from happening again. Shift your company’s mindset to security-first and privacy-by-design. Organizations who suffer a breach should be asking themselves: what can we do better? Are all departments communicating? Does the right hand know what the left hand is doing? Is everyone in the organization aware of the security and privacy ramifications if an incident were to happen?
A thorough assessment of current technology and gaps in security talent should be conducted and addressed throughout the months following an attack. In addition, all employees should be reminded to keep security at the top of their mind at all times. When consumers see an organization that is honest and taking steps to right the wrong that happened, they will begin to have trust in the brand again.
Matthew Hutchinson, vice president, WhiteHat Security