Managing a Security Breach, Part I: Crisis Communications

Malware attacks not only jeopardize sensitive information, such as valuable customer data, but they also impact brand loyalty, vendor relationships, and investor commitment.   As we’ve all seen with the latest retail issues, a serious intrusion may harm sales, customer confidence and even stock performance.

Cybercriminals are frequently in the news for finding new and mindboggling ways of getting into corporate information systems. But the truth is that in many cases, the damage could have been reduced or avoided with better controls, policies and procedures.  But I will also caveat that it’s always easier to critique the situation from the sidelines, than from the heat of the battle. Still, cybercrime happens. In this post, I’d like to go over some important elements of crisis communications in the event of a security breach. In my next post, I’ll share some lessons learned by executives who have suffered through the effects.

Of course, communication is vitally important not just at the IT and executive level, but throughout the enterprise.

Front-line employees and sales representatives are often perceived as the voice of the company, the personification of the brand. If they don’t know what to say, brand value can be irreparably damaged.  In fact, employees are often perceived as “guilty by association” with the company after such breaches, so they may find the need to redeem both the company and themselves with useful information.

To better serve this need, a crisis communications effort must be transparent, thorough, and timely. It should include both emails and crisis websites for internal employees, managers, partners and supply- chain vendors. Depending on your communications preferences, you may even want to do conference calls, Intranet meetings or “all hands” employee meetings to discuss the crisis.

While only designated employees should talk to the press, analysts or financial entities, almost every employee can be assumed capable of delivering some or all of a cogent crisis response message. In most cases, that’s far better than no response, or an uneducated one. It therefore doesn’t hurt to let employees know the details of your crisis response.

Here are some things that everyone wants to know.

  • It’s vitally important to have a crisis communications plan in advance of a breach. The communications plan should include a policy or methodology for crisis communications, including what needs to be communicated, by whom, and when. The plan should also set in motion key communications activities, such as bringing up a crisis website, setting up press and analyst contacts, and bringing up lists of specific audiences that will require alerts.
  • Your best honest assessment of what happened, in comprehensible terms. As Lou Hoffman, president of the Hoffman Agency recently noted about the Target president’s letter to customers after their security breach, “Even if readers don’t know exactly what ‘forensic investigation’ means, they’ve watched enough NCIS and CSI to understand that this is serious stuff.”
  •  What you are doing to remediate the breach? People want to know that the problem can be solved, and when. This could mean everything from finding, freezing and fixing the malware to removing infected servers from the network. Most people will assume that it’s not over until you declare it over.
  • What you are doing to make the situation right for customers or users. For example, are you providing them with free credit card monitoring, or no-liability coverage in the event personal accounts are hit? How will you deal with third parties or investors damaged by the crisis?
  •  What are you doing to ensure this won’t happen again? Are you working more closely with security companies and experts in law enforcement? Are you educating employees and vendors?

Finally, don’t think of crisis communications as a single official response. In many cases, your initial assessment of the crisis could require modification, and messaging to financial institutions, investors and supply chain partners may require careful wording and legal review. It’s OK to have course adjustments to the message, if you’re keeping everyone updated.

Similarly, at the speed of information exchange on the Internet and through social media, it’s important to closely monitor what others are saying about the crisis. Incorrect information about the breach from otherwise reputable sources can be almost as harmful as the breach itself, so it’s important to be prepared with a quick correction if necessary.

Timeliness, authenticity and transparency are key to successfully managing communications in a security crisis.


Leave a Comment

12 + three =