According to data from the World Economic Forum, on average, more than 25 per cent of a company’s market value is directly attributable to its reputation. And a Deloitte report establishes that reputation risk is a top strategic risk for organizations. What very few organizations realize, however, is how much of a role security disasters play in influencing an organization’s reputation.
As an organization, it’s very important to realize this fact: experiencing a security disaster is inevitable. You can’t avoid it — or at least you shouldn’t assume that it won’t happen.
Recently, it came to light that every single user account at Yahoo! was compromised during its last security breach — affecting over 3 billion user accounts. eBay was also in the spotlight a while back after it came to light that about 145 million user accounts had been compromised. Target is another high profile hack that comes to mind — with over 40 million accounts compromised.
If these mega-corporations, some with entire security teams filled with the best in the industry, can be hacked, then businesses of all scales should expect to experience a security breach at some point.
What is most important, however, is how these security breaches are handled. According to a study of 2,300 businesses by IBM and Ponemon Institute, it will cost the average business about $19.6 million to address security disruption within a two-year period — and 75 per cent of this expense will go to reputational damage and the bottom line.
If security disasters are inevitable, then how can you save your organization’s reputation in the event of a security disaster? You can have a PR strategy tailored towards dealing with security disasters. Here are five tips for handling security disasters in your organization:
1. Be Prepared — Expect That Security Disasters Will be Inevitable
According to Melanie Thomas, an expert on privacy and security-related incidents, the biggest mistake organizations make that affect their PR efforts during a data breach is a lack of preparation. “People falsely assume that they’re prepared because they ran a drill four years ago,” she says. “They also assume they’re insulated from a crisis like a data breach because they have a solid IT team. Worse still, they think they can figure it out at the time a crisis hits. That’s like playing roulette.”
It doesn’t work that way. If the security breaches Yahoo!, eBay, and Target have experienced is any indication, it’s clear that having a solid IT team won’t insulate you from security breaches.
According to Thomas, security crises can take many forms. While it could be an ordinary data breach or cyber attack, it could also be due to any of the following:
- Employee error
- Employee sabotage
- Natural disasters
This quickly brings to memory an incident in which an ex-Hostgator employee was able to compromise over 2,700 servers belonging to the organization. Even though the employee no longer worked with Hostgator, he had installed a backdoor on these servers over the years and simply made use of this access when he was dismissed. Hostgator would later prosecute this ex-employee, but it would have been much better if they had anticipated this.
Regardless of the source of your security disaster, the first step towards being able to effectively protect your reputation is to be prepared. Anticipate all forms of security disasters and prepare a sort of “PR response plan” in the event that they happen.
2. Be Transparent, Disclose Only The Facts You Have
When dealing with a security crisis, you almost can’t do right from a PR perspective. If you respond too fast before you have the facts, you could put yourself in trouble. If you respond too late, however, and word gets out from an unofficial source, all trust could be lost in you. According to John Mason, a cyber security and VPN expert, and founder of TheBestVPN, the best solution is transparency without being too hurried. “Let people know something has gone wrong, that you’re in control of the situation and are committed to keeping them informed, and that you’ll communicate further as soon as you have all the facts.”
Mason advises against delaying communication when there is a security breach. “It isn’t easy, but it will be worth it. Delaying like Equifax did — taking six weeks to inform users after discovering the breach— can quickly backfire,” he says.
At the same time, don’t be too hurried: while keeping people informed, only disclose facts you have. During Target’s security breach, they disclosed information underestimating the number of users affected, failed to take responsibility and later revealed that more people than initially stated had been affected. This sent a message that they weren’t prepared for the situation and are incapable of addressing it. They paid dearly for it – stocks tumbled, their CEO was fired and they became the victim of a class-action lawsuit.
3. Control The Narrative While Communicating
It’s not easy being CEO when you find out that 145 million user accounts have been compromised. In situations like this, knowing how to pass across this message to stakeholders and the public can be difficult, but you must communicate. More importantly, you must ensure you are controlling the narrative while communicating.
Here are some tips to help you control the narrative while communicating a security disaster:
- Make sure you are the first to inform the affected parties and the public about the security disaster. If word gets out through one, two, or more other sources, then confusing signals could be sent and people are less likely to trust what comes from you. If you communicate first, though, you retain power as the official source.
- Be specific about the scope of the hack and what you know. Don’t try to make claims that cannot be validated just to look good. If these claims are countered, trust in you will diminish.
- Don’t be too worried about the company’s financial position. Life happens, and very few organizations can go through a security disaster unscathed. Your major concern is to limit the impact of this disaster and ensure a quick recovery. If you make communication missteps in the process of trying to save the company’s financial situation, it could cost you even more down the line.
4. Create Dedicated Channels For Information Related to The Security Disaster
Depending on the size of your organization, you should expect to be overloaded during security disasters. Whether it is in terms of requests for information from users or the media, you must be prepared. This shows commitment towards addressing the disaster and reduces the chances of your position on the issue and capability to address it being misrepresented. Here are some ideas:
- Create separate social channels aimed at providing sensitive information and answering user requests related to the security disaster.
- As soon as you have relevant information relating to the security disaster, make it available on these channels.
- Be very timely when it comes to addressing inquiries related to the security disaster. Taking too long to respond, especially when in the spotlight, would make things worse.
- If possible, ensure the bad news is released quickly and fast — letting it take too long will only make the problem seem bigger than it really is.
5. Put an Executive Face on The Frontlines
When there is a major security disaster, people want to see a face communicating to them the nature of the incident as well as measures taken to address it. As much as possible, it is important to note the following:
- Nothing will make you look bad, and aggravate the situation, more than having conflicting information released internally. If possible, you want to have just one or two people discuss the disaster to ensure consistency in what is being put out.
- The higher up the “face of the disaster,” the more seriously the issue is seen to be taken. While it might be easy to let a low-level employee handle the public communications, you will appear more serious and committed to the situation if a high-level exec like the CEO is communicating to the public. However, it is important to ensure the person who handles this communication is well-informed and appears in control.
You can’t hide from a security disaster— not forever. It happens to the biggest and the best, and it will most likely happen to you too. What really matters, however, is what you do after the event to allay users’ fears and communicate being in control. The above are five PR tips for dealing with security disasters in your organization.
About John Stevens