Incident Response

I’d Like to Buy a Vowel: The Price of Poor Communication During a Data Breach

Play the latest episode
|
Feb 2, 2022
29 minutes

Subscribe

Listen to the Security Intelligence Podcast wherever you get your podcasts.

I’d Like to Buy a Vowel: The Price of Poor Communication During a Data Breach
February 2, 2022
| |
20 min read

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content.

Most of the business (and governmental world) is realizing that data breaches are no longer the sole domain of the IT department. We’ve seen private and public sector organizations make crippling fumbles when it comes to communication (or lack thereof) during a breach — sometimes tainting their brands (and political careers) for decades to come.

And while many communication teams have rigorous crises plans to respond to issues like natural disasters, far fewer have the acumen or language to speak effectively during a cyber crisis. Assuming crisis communication plans for other issues can be quickly morphed into a cyber plan can lead to a false sense of confidence that can make a difficult situation even worse.

Enter skilled pros like Loren Dealy Mahler, who’ve built careers on creating organization-wide communication plans that include the right people, the right words and the right timing — like a maestro queuing the entire orchestra to play in unison. In this episode of Into the Breach, Loren walks us through some of the best — and worst — examples of communicating during cyber incidents, how she ended up building a career in the field, and shares ideas on how to finesse (or even start) your cyber communication plan.

And spoiler alert, I think my favorite quote from this episode might be when she gave us this mic-drop moment: A skilled technical response team can ensure you still have data and infrastructure when you return to work after an attack. A skilled communication expert can make sure you still have a business to run once you get there.

It doesn’t get much clearer than that. Buckle up, and join me as we venture Into the Breach.

Listen to the episode: I’d Like to Buy a Vowel: The Price of Poor Communication During a Data Breach

Transcript:

Mitch: When a data breach happens, we tend to turn introspective—how did it happen, who did it, and how can we prevent it from happening again. The one element we don’t generally talk about is how a data breach is communicated — that is, unless it’s done really badly. And the last few years have given us some stark examples of how NOT to communicate during a breach—no names mentioned, although we may get into a few of them in this episode.

So what, exactly, IS good communication during a breach? Not only communication to customers or the public who’ve had their data compromised, but communication inside an organization in a world where marketing may never talk to HR and legal may never talk to IT—how do we get those wires connected to coordinate what we say?

In this episode, we sit down with Loren Dealy Mahler. She’s built a career managing cyber crises, helping organizations know what to say, when to say it and how. She’s the co-founder and president of Dealy Mahler Strategies, and she joins us today to shed some light on one of the lesser mentioned elements of a cyberattack: how we communicate when we have one.

I’m Mitch Mayne, and you’re listening to Into the Breach.

So Loren, tell me if you had one piece of advice, or you had a CEO alone for 30 seconds to give him or her advice on how to handle a data breach from a communication perspective, what would that piece of advice be?

Loren: Well, I think that I would tell them that a skilled technical response team can ensure that they still have the data and the infrastructure to come back to work after an attack and ensure that everything’s still there. But a skilled communications response, a skilled communications team and expert can make sure that they still have a business that actually runs once they get there.

Mitch: Wow, mic drop, that’s pretty powerful. So when we think about the communication profession, we don’t often think about cyber attacks. And yours is a job that didn’t really exist a decade ago. Why do you think it exists today?

Loren: I think it exists today, because a lot of people learned the hard way over the last decade or so that the traditional crisis communications teams, the traditional PR teams that exist either in house at a company or on retainer from an agency are great at what they do. And they’ve always been very good at what they do. But just as the whole concept of a data breach, and a cyber attack has evolved to become a little more mainstream people have realised that the traditional playbooks that those really great crisis teams have always used don’t actually help them as much as they thought they did in these situations, and a lot of folks have gotten themselves in a lot of hot water, trying to employ those same old playbooks in the context of a cyber incident. So they’ve had to realise that there’s a specific expertise, a tweak that needs to come into play.

Mitch: So spoiler alert, for those of you who are listening, Loren and I have actually had the opportunity to work on a couple projects together. So she and I have both kind of seen some eye-opening moments and heard some eye-opening responses from folks around the communication of data breaches. And one of the quotes that we got more than that, I want to read to you and I want you to tell the readers how it makes you feel is this quote, ‘My communication team has a crisis response plan already. I don’t need to have one for a cyber event’s end quote. Why does that send chills up your spine?

Loren: So that to me, when I hear it, says that the person speaking most likely, if I’m placing this correctly, in an executive role, a senior role is somebody who does not yet fully appreciate the situation that they could find themselves in, when it comes to a cyber incident, that we’ve already got a team they already know what to do. And that’s great. I’m sure they do. And if you have some type of executive scandal or corruption, crisis, product malfunction breakout, then they’re going to be fantastic at managing you through that. What it tells me is that you don’t fully appreciate the changes and the nuances that will exist as you try to manage a cyber situation. And the fact that that traditional playbook that we keep calling about that crisis playbook isn’t going to help you. It’s got some very specific steps in it that are probably the opposite of what you should be doing in a cyber situation. And you’re quite likely going to make things harder for yourself. And when I hear you say that I realise you haven’t quite yet fully appreciated that.

Mitch: Yes, history has shown us that I told you so moment has come far too often for far too many organisations, individuals and our public officials. So let’s talk a little bit about the difference between just a generic Crisis Response Plan about you know, a power outage or a natural disaster. What’s the difference between that and a cyber communication plan?

Loren: So in my mind, the biggest thing that changes as you shift from one of those scenarios to the other is the amount of information that you know. And when you know it, I think it really boils down to what do you know, and how soon do you know it when you’re facing a more traditional crisis, then you tend to know what happened, when there’s been a natural disaster, you know what happened, you may not know the full impact of it, you may not know all the specific ramifications of that event yet, but you know, this is the thing that occurred, here’s the damage that it’s done, we’re still figuring it out. You want to get that out there, when it’s more of a manmade crisis, then you know, something in the sort of scandalous realm, then when you find out that things that are happening, you intentionally flood that information out there so that people absorb less, because you’ve given them so much more.

And then you move on from that, in the situation of a cyber incident, you don’t have that luxury, because quite often, there is no single moment where everything has happened and is finished happening. And then you see what has happened and move on, you just don’t have that option, because it very often takes quite some time to be able to figure out what has happened, it’s just the nature of the incident, figuring out that something has happened. And learning about it along the way, just by design means that you can’t push all the bad stuff out at once, because it keeps coming out the pure nature of the beast means that information will trickle out, which is the exact thing you’re trying to avoid in a traditional crisis situation, you don’t want stories to keep coming up over and over and over as new information comes out. But that is what you will have just by sheer nature of the incident in a cyber event. So you have to position yourself from a communications perspective early on, so that you have set the stage for new information to come. And you’ve set the expectation that you will have updated information along the way. So that rather than drawing a story out, or learning something new and changing your initial positioning, you are updating people rather than changing the facts.

Mitch: Oh, I like that, that’s actually really good, updating people versus changing the facts. So what I hear you saying, and I think this is true, is what you’re talking about a cyber crisis, more often than not, these are dynamic situations. And if you follow the correct playbook, you’re going to be communicating with them while they’re still occurring. So you’re gonna have your incident response teams and your technical teams trying to solve the technical side of the crisis and uncover forensics over how bad the damage was. And at the same time, you’re gonna have to communicate it. So it’s really kind of a live on the spot event, which is very different than, you know, some sort of scandal or, you know, a tree falling, you know, over a power line or something like that.

Loren: Absolutely. That’s completely true. You’re reporting facts as they come up. And the way that you do that in that initial period right after something has occurred. When you’re first communicating, you essentially set the groundwork, you lay out the vector that you’re going to move down throughout that event as long as it may take. And doing so in a way that allows that new information to enhance people’s understanding of the incident, rather than question your credibility makes a really big difference in a traditional playbook. While great for some incidents is not designed to do that.

Mitch: Well. So let’s talk about some missteps in communication. There’s a lot of examples to pull from, but I want to pick on a couple specifically today. The first one I want to talk about is the Atlanta cyber attack in 2018. I think you and I both saw the initial press conference that then Mayor Keisha Lance Bottoms gave. I think we saw that at the same time, she was asked a question by a reporter in that first press conference. My heart goes out to her. She was clearly nervous through that whole thing. And she was really on the spot. The question from the reporter was, How widespread is the attack? Does this affect the public beyond the outages for, you know, the DMV and you know, getting my house permit, and her response was one of surprise, and she stammered a bit and stuttered and looked around. And she just looked scared. And she went on to say that she didn’t know perhaps everybody who was listening to this should go check their bank accounts immediately because the threat actors could be in there, that sort of thing. You saw this too. Was that a good response? Let’s just ask you that question. Was hers a good response to that question?

Loren: No, I don’t think it was a great response to that question. You’re right just watching that your heart went out to her and to her team as they were trying to both wrap their heads around what was happening in the moment but then also put the public face to the moment at the same time.

Mitch: Did you cringe?

Loren: Just now listening to you repeat it, listening to you describe it was cringe worthy over here. There are a couple of rules of thumb that I always try to counsel people on regardless of the specifics of an incident and one of them is that from a business perspective, the perspective of an organisation who is experiencing an incident you goal is to get to the other side with as minimal damage as possible with as little of an impact. That means that people still trust you.

On the other side, people still think that you are a viable organisation of business, public office, whatever that is. And part of maintaining that trust throughout the situation is projecting an air of stability and control even when you don’t know what’s going on. Being able to say, here’s what we know, we don’t know more than that. And we will get back to you when there is more information. But here’s what we’re doing in the meantime, to try and figure it out, gives a much better impression of the way that your team is managing the situation, then what we saw in Atlanta of basically, you know, translating it into, I don’t know, but my body language is panic, too. Therefore, you should probably panic and they might have all your money already.

Mitch: Wasn’t that speculative and isn’t like speculation in a press conference on a cyber attack, like the kiss of death?

Loren: I mean, speculating pretty much in general, particularly as a public figure is never helpful. Exactly what you said, when you are in a situation that is unfolding at an unknown pace, particularly something like a cyber event, then 100% Do not guess ever. There’s no speculation. It is okay. And again, this is where it differs, sometimes from advice that you will often get from traditional PR pros. In traditional crisis situations, it’s okay to say, we don’t know, but we’re figuring it out. And it’s important to follow up that we don’t know with, we’re figuring it out in here’s how, but to just guess, is that thing that immediately draws into question your credibility from that point on and makes it very hard to recover from that.

Mitch: Yeah, I also like the fact that you picked up on her body language. I mean, part of what made my heart go out to her was she, you know, completely looked under the microscope and unprepared. And yeah, that was a tough moment. For everyone who is on the good side on this one. Hey, let’s talk about another one. There was a blog put out in 2017 called How to burn your house down in 24 hours or less the art of Equifax thing. Oh, wait, you wrote that blog.

Loren: That does sound a little familiar ringing a bell over here.

Mitch: So I want to talk about Equifax. I’m just gonna give you a broad brush question here. Because I think that there’s so much to talk about, you can pick out three or four highlight gems. So Loren, tell me what went wrong?

Loren: Let’s start with the initial communication, not even a communication down the road. So yeah, that’s kind of funny that you pulled that out. So what I saw happened in the very initial moments of the public being aware of the Equifax breach, and you can’t even say the initial moments of the breach, because we didn’t find out about it for so long. I think it was, what over a month, month and a half, 3040 days, something like that, before they actually informed the public of what had happened. The mistakes that they made initially, early on, I mean, it was almost a textbook of what you don’t do, they waited too long to actually notify anyone to notify the victims so that they could take any necessary steps to protect themselves or to monitor themselves. So they knew this had happened for a long time. But they didn’t bother to tell anybody.

Step number one, because remember, our goal here is to make sure that people still trust you enough to do business with you at the end of the day. Then I had a big problem with the statements that they put out initially in the beginning. Yeah, the one that really bothered me was the statement that came out online from Equifax CEO in the very beginning, that the very first you know, I know it’s a written statement, but the first words out of their mouth had to do with themselves. Basically, rather than saying this happened, we’re taking care of you, our customers, we’re looking into this, we’re sorry for the inconvenience, none of that it started out with Oh, my gosh, I can’t believe this happened to us.

Mitch: What was the quote, read the quote, the quote was —

Loren: ‘This is clearly a disappointing event for our company.’ Wow.

Mitch: Okay, so 50% of all Americans have their data swiped. And that is their position that they’re sorry about what happened to their company…

Loren: Right? We’re sorry, this happened to us. Oh, by the way, yeah, you may have lost some stuff, too. It’s just backwards. It’s completely backwards. And, you know, that’s definitely not the way to convince your customers that you actually care about them as a company, even if they already think maybe you don’t, don’t confirm it for them. And then everything that they did in those initial days that was public facing went wrong, because it was so poorly designed, poorly planned, written up on the back of a napkin, executed poorly, etc. There was not a consistent reliable means of putting out information from anybody. So you started questioning everything they were saying. In order to get any information and find out whether you were impacted. You had to enter personal information online to a website that they had just sort of set up on a whim so this giant company lost, you know, 50% of everything. body’s personal information and they want you to go to this fly by night website and then enter your personal information. There’s a disconnect there between trust and user experience.

Mitch: Trust us, we just lost your data. Trust us again, what is that?

Loren: Right? It’s almost like saying, we lost it. Can you give it back to us? I’m not sure that was really what they were going for.

Mitch: Yeah, but I see the joke there. That’s, that’s good, Lord. That’s good. I like that.

Loren: Yeah. I mean, you have to laugh about it. It’s been wet for years now. But the call centre folks who were supposed to be answering questions and who were set up didn’t have consistent useful information either. It just kind of kept on going. And it became very clear that there was no attempt to care, if you will, about what customers were going through about people’s experience in this moment, no attempt to allay their concerns or their fears or provide them information that could give them something to say, okay, that’s fine. You’re working on it, here’s what I need to do. It was just totally inwardly focused, and the outward stuff was more just like they were trying to check a box, but they weren’t doing it very well.

Mitch: Well, and that doesn’t even count all of the mischievous backhand, you know, or backdoor events that were taking place with stock and everything like that, which is not the focus of this podcast, but there was a lot of back end stuff that it was going to damage them enough already, their communication could have served them a little better, right?

Loren: I mean, they could have at least put out enough proper communication to have bought themselves enough good grace to be able to weather that next storm. In this case, I always describe it as you have to stop digging, when something goes wrong. Okay, great, figure out how you’re gonna get out of the hole. But the way to get out is not to keep digging and make it deeper. And that’s exactly what they did. They were in the middle of this poor customer response. And then the news came out that during that time, when they weren’t telling anybody about this, their executives went off and sold their stock and made millions of dollars. So they were fine. And the rest of you, I’m sure.

Mitch: And you’re right, that was almost five years ago now. So that was 2017. So I still get advertisements from that repository to sign up for credit safety. And the first thing that I think of when I see that email in my inbox is, has there been another attack, I don’t think about them as protecting me, I think about them as somebody that I don’t trust.

Loren: And that’s five years later, right? Somebody is not protecting you. But they’re really making sure to protect themselves.

Mitch: Let’s talk about somebody who got it right. And tell me what they did well, and what the impact was.

Loren: So my favourite example of a company that got it right, not only because you know, you don’t get to talk about the industry, a whole lot is Maersk, the global shipping..all the things when they were part of the attack, and they were completely shut off from all the different elements of their business, they had lost the connection, the communications, the contacts, etc, it was all done, it’s helpful a little bit to understand a little bit of their structure as a global shipping company. They have their, you know, sort of headquarters office, but then they reach out into ports all around the world. And they have employees and they have staff and all these different roles around the world. And there is cargo coming in and going out being tracked being transferred from containers on ships, containers, on trucks to in warehouses and everything else in between.

Mitch: So a very, very complex ecosystem within that company structure completely shut down, completely shut down.

Loren: Absolutely. And you know, if you think about how important it might be for somebody who’s managing a massive global port to be able to understand what’s coming and going through that port. That times, however many situations they were in around the globe, it was massive, but what they did, and I love this from a communications perspective, they basically said, you know, what, we don’t have visibility into what’s happening in each of your locations, we don’t have visibility into what’s happening at those ports, with those containers with those ships with those trucks that are waiting. So we’re going to delegate the authority to just make it go to each of these individual locations. We want you to figure it out, make it happen. Keep the customers first and foremost and do what you need to do to get their goods moving the way they rely on us to do whatever it takes make it happen.

Mitch: Tell us the quote: Do you remember it? They don’t remember the quote. I remember everything they did, but I don’t remember their quote, the direction given by the senior leader of the company to everyone in the company was basically do what is right for the customer. We will cover the cost, which is starkly different than what we saw with Equifax. This one is extremely customer centric, client centric, the Equifax one was extremely company centric.

Loren: Yeah, the quote here is that they are putting the customers first covering the cost of whatever that is. Equifax was very clearly ignoring the customers and covering something else.

Mitch: Yeah, that’s very clever. I Appreciate that. And you know, the funny thing is, when we started off this question talking about the Equifax question started talking about the fact that that was five years ago. Maersk was the same time or not longer ago, right? Does anybody ever talk about mercy? Do we think about cyber attacks when we hear their name? Mercy? I don’t.

Loren: I mean, we do because we’re giant nerds who dig in this all the time. Yeah, no normal people don’t. If you say, tell me a data breach that you remember using common vernacular, tell me about a data breach. You remember from the last few years, you’re gonna get people who say Equifax, you’re probably gonna get a lot of people who say Equifax, but you’re right, nobody is gonna say Maersk. And the cool thing to me about what they did went a little bit beyond just putting customers first. But I think emphasising why that was so important is as a point that’s easy to lose is that when we talk about getting through an incident, and on the other side, you want to make sure you still have enough customer trust and loyalty so that you can continue to have a business in this case, they may have lost hundreds of millions of dollars, and I believe they did in this particular event, but the customer loyalty that they earned by doing as much as they were able to do with WhatsApp communications and sticky notes on the windows and the handwritten clipboards at the, you know, points of entry. All of that, in the long term from a business perspective, benefited them so greatly because they made very clear where their loyalty stands and it’s to their customers not to themselves.

Mitch: I was actually going to ask you about that as what do you think the intangible benefit was here, aside from the fact that I mean, I live on San Francisco Bay. So I see these ships go in and out all the time, when I see the merge ships go in and out. And when I see a merge ship, it’s like, I don’t have the same reaction I do. When I see an Equifax email in my inbox, it is a dramatic difference in the way it makes me as a consumer feel. So that intangible benefits that they reaped, you almost can’t put a price tag on that isn’t that our dream is communication people.

Loren: Absolutely. Millions and billions of dollars are spent every year trying to increase the strength of reputation that way, trying to make sure that somebody looks at your name, your logo and says, Yeah, I have a warm, fuzzy feeling about them. You know how often you have a warm, fuzzy feeling about a shipping company. I don’t ship a lot of stuff. So not a lot. But being a nerd at heart, I see a Maersk container drive down 95 near where I live. And I think yep, that’s those guys. They’re doing it right.

Mitch: So I want to switch gears here quickly and talk a little bit about its policy. So we have the Biden administration who is putting a laser focus on cybersecurity. With the new cybersecurity executive order, we have yet to see exactly how that is going to roll out what the mandates and requirements are going to be from both a technical perspective as well as a communication perspective. Let’s put on your prognosticator hat and tell me what you think we might expect to see that executive order due to communication, what do you think the outcome will be?

Loren: I love seeing these things come into being and knowing how much work and how much time and effort and just general expertise was brought to bear and something like this. And so I think one of the pieces that stood out to me as someone who looks at it with an eye towards the communications lens, is that there’s a big emphasis on reporting requirements that you know, people have toyed with and different regulations and things that we’ve seen in the last few years have different emphasis on reporting requirements, and timelines and content and things like that reporting and notification issues in general.

But when you have reporting requirements, and you have notification requirements, you all of a sudden have companies and organisations who are more regularly and consistently telling about what happened, when quite often the natural self preservation interest is to not tell and now they’re being forced to tell. And so how you manage the telling becomes more important how you handle the communication aspect of that reporting requirement, or that notification now matters because it is out there, you are required to say something and tell someone about it, even if it’s just a government agency. But when that happens, there are ways to do that, that can benefit you in ways to do that, that can make it worse.

Mitch: Well also if you’re required to report something, and you and I both know this from being in the communication field, the minute you make a statement about Loren CO has been hacked, and you give it to a regulator everybody’s gonna know about that. I mean, whether or not the regulator publicises that immediately, but that’s going to be out there in the public domain. So doesn’t this actually make the case for having to spring your plan into play even more nimbly and more rapidly? And more accurately?

Loren: Absolutely, it does. Because like we’ve been saying, any time that you have to communicate something that has happened, the information is going to be out there and now you have an obligation to make sure that it’s out there to your benefit or the minimum at least it is out there, not to your detriment. And like you said, reporting requirement, especially when it goes to a public agency, it is going to be public, particularly if the thing you’re reporting is in any way shape or form interesting, it is going to be public, whether you’re interesting whether you incidents interesting whether someone’s having a slow day, whatever it’s going to be out there. And so having a plan in place ahead of time of how you’re going to manage that, and making sure that that plan is built in a way that allows it to be nimble and flexible to the situation at hand, is really going to benefit those companies who can have that foresight to handle that ahead of time, and to have those plans in place ahead of time in a way that lets them benefit from that notification requirement.

Mitch: So walk me through this, I’m just thinking in my head as you’re talking. So if reporting requirements are accelerated, and Loren Co gets hacked, and Loren Co is required within 48 hours, or 24 hours, or whatever it is of finding out that she has been hacked if discovery if Loren CO is required to report that to a regulator, and you don’t report it to the public at the same time, what’s going to happen?

Loren: I think you find yourself back in that situation of have I done everything I could do to make people trust me and to maintain my credibility in this situation? Or am I doing something that makes it worse for myself. And as with any bad news anywhere, anytime, hearing it from the source versus hearing it from a third party always makes a difference?

Mitch: Yeah, that’s what I was thinking to own the message, whoever delivers it owns the message.

Loren: Exactly, they own the message. So they can paint it any way they like. But at the same time, if you think about, let’s say, a friend did something and is chosen not to tell you about it, but you find out about it anyway. You’re now only not just upset about the thing, you’re upset at the friend for not telling you the thing. And you know, we don’t have to pretend like we have close buddy buddy relationships with every company we do business with. But when it comes to a reputation that they are working very hard to maintain, and customer trust, and loyalty that they are spending, as we said millions of dollars to grow then an unforced error that causes you to lose some of that credibility and that trust, it’s just not worth it anymore.

Mitch: It’s completely self inflicted and unnecessary, unforced error. I like that we certainly do see a lot on the communication side for cyber breaches. So let’s end with a lighter note here. I want to hear what your favourite quote is about communication because I know that you are a total word nerd and that said with love because I am too. What is your favourite communication quote? I’ll tell you mine. Actually, let’s level the playing field. I’ll share mine, you share yours, you share yours first.

Loren: Okay, so mine has very little to do with security or cyber, any of that. Notice mine. I love the Warren Buffett quote, ‘It takes 20 years to build a reputation and five minutes to ruin it.’

Mitch: Well, he obviously that was written for the internet because it’s more like 30 seconds now.

Loren: Absolutely followed only by my second favourite quote of, ‘A computer lets you make mistakes faster than any invention in human history.’

Mitch: So mine is also not related to technology. It is by Anne Morrow Lindbergh. And I think you’ll appreciate this, ‘When good communication is as stimulating as black coffee, it’s just as hard to sleep afterwards.’

Loren: I love it.

Mitch: So there it is. So Loren Dealy Mahler from Dealy Mahler strategies. Thank you for being on the podcast today on Into the Breach.

A special thanks to our guest Loren Mahler for her time and insight making of this episode.

If you want to hear more stories like this, make sure to subscribe to Into the Breach on Apple Podcasts, Google Podcasts, and Spotify.

You’ve been listening to Into the Breach, an IBM Production. This episode was produced by Zach Ortega and Clara Shannon. Our music was composed by Jordain Wallace with audio production by Kieron Banerji. Thanks for venturing Into the Breach.

Mitch Mayne
Public Information Officer, IBM Security X-Force

Mitch is the Public Information Officer (PIO) for IBM Security X-Force. Mitch is a well-known voice in the cybersecurity realm, and the author of several tho...
read more

Your browser doesn’t support HTML5 audio
Press play to continue listening
00:00 00:00