Getting your public response right in the event of a breach

In the event of a breach a public statement’s tone must be honest, empathetic and humble – crucially, take responsibility and apologise to those affected; reassure them all necessary steps are being taken to address the situation.

OPINION by Nik Whitfield

When it comes to data breaches, CISOs across the globe should heed the adage of “fail to prepare, prepare to fail”. Akin to PR crisis comms, the difference between the companies that weather the storm and those that dig themselves a deeper hole, often lies in the preparation.

Given that 2017 smashed world records for the most data breaches, and the GDPR mandatory 72-hour breach reporting requirement, it has never been more important to have a clearly defined data breach response plan.

With data breaches it’s not a case of if, but when. Most companies are not aware that they have been breached for several months, or even years, after actually being breached. This is because there is usually no immediate impact to the company (with the exception of the some of the newer breaches, such as ransomware).

Cyber-criminals frequently hold stolen data for a long time then and offer it for sale to other criminals when it becomes valuable.

Most often, organisations discover they have been breached when government law enforcement agencies or other third parties notify them. Once informed, the clock starts ticking and the incident response plan needs to spring into action. To control reputational and financial risk when making a public statement regarding the breach, advanced preparation and caution is imperative. You do not want to react under pressure; you want the process to be well orchestrated and rehearsed.

The first step is to agree exactly who will be allowed to speak publically following a breach. Limiting this to the CEO and Head of Security is highly advisable to ensure containment and consistency.

Everyone else, including other senior executives, should be instructed to defer to the named individuals for any public statements. There also needs to be clear internal organisational charts developed in advance, which outline everyone who will be involved in the incident response with their roles and responsibilities clearly defined, as they will typically different than their normal roles.

It is also advisable to work up proposed public statements and get them reviewed and vetted by the PR team. These comments will be invaluable as a starting point and can be quickly edited as needed when needed. When it comes to developing statements there are some clear rules of thumb that must always be followed.

Firstly, and most crucially, never state more than what you know – if you don’t have information then don’t speculate on the extent, cause and impact. It will seriously undermine the company and brand if you have to retract information at a later date. It is much more advisable to keep it factual – you can always update your public statements when concrete information is available and verified.

The tone of public statements is also key. We have all seen instances where a company comes across as aggressive and defensive – it makes the industry collectively cringe, and more importantly it exasperates and elongates the crisis. The media seize upon it and the situation spirals.

The tone of the public statement must be honest, empathetic and humble – crucially the organisation must also take responsibility and apologise to those that may be affected and reassure them that all necessary steps are being taken to address the situation. They need to outline when updates will be delivered and then ensure that they are provided within the promised timelines.

Lastly, it’s highly advisable to test this process through periodic table top exercises. Operating under the stress of a crisis is difficult and practice makes it much better. If a situation breaks at a time when HQ is offline a country head might feel like they need to give a holding statement. If this isn’t part of an agreed process then that must not happen – the incident response plan needs to be stress tested against multiple scenarios like this.

By being clear on how to publically respond after a breach, the company is protecting itself against a multitude of external risk factors. In 2017 the number of total breaches and total records exposed each jumped by 24 percent over 2016 – data breaches due to hacks accounted for 2.3 billion records. You aren’t preparing in vain – it’s likely that you’ll need to implement these processes, and with preparation and practice you’ll ultimately minimise the damage.