Read the 1st blog in this series, Cybersecurity crisis communication: What to do
When an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.
Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis. Here are seven common crisis communication mistakes that occur amid a cyberattack or data breach and how to address them.
1. Not planning for crisis communication
Many businesses wait until a cybersecurity incident arises to create a communication plan. Melanie Ensign, CEO and Founder of Discernible, a communications center for security, privacy and risk team, said that crisis communication starts before the crisis begins because you cannot effectively manage a crisis if you’re waiting for the crisis to start.
Many organizations overlook creating a crisis communication plan that details organization-wide collaboration, prepared communications and appropriate communication channels. Without a roadmap to follow, organizations often overlook key steps and waste valuable time drafting communications from scratch. It’s crucial to have mechanisms already in place so your team can simply follow the guide and make necessary changes based on the specific situation.
2. Waiting too long to communicate with the public
It’s tempting to wait until your organization knows exactly what happened to make a public statement. However, this delay allows time for inaccurate rumors to start, which can damage your reputation even more. In 2017, Equifax waited a month to communicate with the public after discovering the data breach that exposed the private information of 147 million people, which increased the damage and impact. Ultimately, Equifax ended up settling for $425 million to reimburse affected consumers for the time and money lost through the breach. By providing transparent communication with as much detail as you currently know as soon after an incident as possible, you show your customers they can trust that you are handling the incident appropriately — and your business controls the narrative.
Setting the right tone is also imperative. “When you send your customer a notification to tell them that something serious has happened and you may or may not have lost data and information that is very important to them and potentially putting them at greater risk, do not start that notification by saying, ‘Your security is very important to us,'” says Ensign. “As soon as you say these words or similar statements, such as your security is top priority, people tune out and if they read the rest, they are using a sarcastic lens.”
3. Not providing a customer action plan
Customers and any other affected parties want to know what they need to do to limit the personal impact of the incident. By sharing exactly what those who may be affected should do, you give them the confidence to know that you are looking out for their interests and that they can trust your management of the situation. Customers also need to clearly understand how to get more help or information, such as by calling a hotline. While Target eventually recommended that customers involved in its 2013 breach cancel their credit cards, this recommendation was not in the initial communication. Customers lost confidence in Target, and sales decreased following the breach, largely due to the retailer’s crisis communication.
Explore the X-Force Cyber Range
4. Lack of accountability
One of the most important ways to repair your reputation is by communicating how you will fix any issues brought to light by the attack. Organizations that demonstrate that they will emerge with stronger cybersecurity on the other side are more likely to regain customer trust more quickly. Businesses should also take responsibility for any mistakes made that caused the incident or made the recovery lengthier.
5. Failing to follow federal guidelines
Many organizations fall under the critical infrastructure designation and will be required to follow federal reporting processes laid out by CISA. By staying up to date on all requirements and ensuring that all policies are followed, your organization can reduce additional bad press and fines.
6. Lack of ongoing updates
If your organization does not provide continuing updates, media organizations will fill in the gaps as well as report additional rumors. Regular updates help your organization to continue to control the narrative as well as instill confidence in your customers that you are following through with all of the necessary recovery steps.
7. Overestimating senior leadership’s ability to communicate effectively in a crisis
When a cybersecurity incident happens, emotions are running high, especially with senior leaders. Because they are not security experts, they may feel fear and uncertainty about the fact that they don’t fully understand what is happening. Ensign says that very well-intentioned leaders will often go out on their own, such as through social media, and make a statement without following the plan.
“Before the crisis happens, I assign senior leaders a task that is helpful and productive that they commit to doing in advance,” says Ensign. “When the incident actually happens, I can focus their attention on that project and keep them out of the way of the security team as they run their investigation.”
Retain customer trust in a cybersecurity crisis
Many organizations survive a breach with customer trust intact. In most cases, the fact that an organization is a business that is being attacked is not the reason customers stop doing business with the company. By effectively communicating with the public and customers throughout an incident and recovery, your organization can reduce permanent damage.
Want more on this topic? Read our next article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis.