Data breaches can prove to be disastrous for your company. Not only could you potentially face civil lawsuits and government fines for failing to adequately guard your data, but you also have to worry about the public relations fallout.
Customers and employees will lose faith in your brand, costing you untold reputational damage. And just like with a disaster, the only way to survive is to be prepared, drilling and practicing the steps that will be put into place in a real breach emergency.
Levels to a clearly defined communications plan for cybersecurity crisis management.
One thing your company needs is clearly defined communications plan for cybersecurity crisis management. Before you do anything else, define how you will inform the people inside of your business of a data breach.
You need to include your IT and security divisions at the top of the communication chain as the most immediate concern will be the containment of the data breach. Even after you’ve discovered the breach, the hackers may still be in your system.
Your security team will need to close whatever means the hackers used to gain access. Often times, outside forensics experts will be required, as shutting down unauthorized access to networks is a very complex task. (These experts often charge $800+ per hour.)
Next , bring in the C-suite and other upper level personnel to begin the crisis management part of your plan. Everyone at this level needs to have a clearly defined role. But you don’t need to have multiple voices speaking at once. Designate a single senior person to serve as the “face of the crisis” to management.
Level Three—Non-Management Staff
One big mistake that companies make is not including their lower level staff in the crisis plan. Everyone, from personal assistants to cashiers to mailroom clerks, needs to know exactly how they are to respond in a crisis.
In the age of social media, you don’t want someone in, for instance, a retail position relaying idle gossip to customers or clients. This can be halfway around the world on Twitter or Facebook before you even know how to respond.
But you also need to take this step because your employees can lose confidence in your company, just as your customers can. You’re going to need full cooperation and loyalty from your employees to weather this storm, so it’s imperative that you have them on board as early as possible.
Level Four—Outside Stakeholders
Your next step is to inform any of those not directly employed by the company about what has happened. If you’re a publicly traded company, this can include stockholders.
But it should also include your customers whose data may have been compromised. The worst case scenario is for customers learn about the breach from media.
Although it may seem low on the chain, this is an important step. All of the above levels should be handled as quickly as possible, which will require a well-oiled communications machine. But when it comes to dealing with the media, seriously consider using an outside public relations firm.
Having a PR firm on retainer is a good idea because they’re experienced at dealing with these types of events and know best who to contact in the media to get the information disseminated. A PR firm will provide you with a “face” for the crisis that can professionally represent you to the media.
A plan is necessary for so many reasons when dealing with a cyber-attack.
Data breaches have been a staple of news broadcasts and technology updates for the past few years. We have almost become immune to the reports of so many people having their personal information compromised. While no amount of security measures can absolutely prevent an attack, they certainly can better your odds and help limit the damage.
And when (most likely) your company experiences a breach, having a plan already in place will help you respond in a measured and appropriate manner.
Creating a crisis communication can take time and planning. If you would like help with this or any aspect of cyber security, please contact us for a free consultation.