When it comes to cybersecurity breaches, there are two types of organizations: those who’ve been breached and those who don’t know they’ve been breached.
So, let’s assume the inevitable: Your organization has been breached. An unknown quantity of data has been stolen, records have been compromised, potentially damaging information may now be on a Wikipedia page, and your customers’ personally identifiable information is floating around the internet. It’s time to plot your communications strategy.
Oh, wait. Too late.
Unfortunately, no matter how many smart steps you’ve taken to shore up your cyber defenses—girding your networks, and protecting your data with sophisticated tools and services—it’s important to plan for a breach, especially considering that data breaches are occurring more frequently and with increasingly insidious intent and impact. It’s in every organization’s best interest to assume it will be hit—likely again and again—and have a detailed, actionable, and well-rehearsed communications plan already in place when a breach happens.
Breach communications is more than sending letters to customers, talking to the media, or engaging lawyers. It is a comprehensive system of gathering, vetting, and sharing information with all relevant internal and external audiences. It also is designed to help ensure an organization’s ability to recover and restore operations after a data breach, regardless of data loss or financial and brand damage.
In our many client engagements, we’ve seen a fair share of data breaches. We’ve seen smart, disciplined, well-planned, and meticulously executed communications strategies. But unfortunately, we’ve also seen some regrettable, unstructured, and poorly executed efforts. In assessing both the successes and failures, we can offer actionable advice:
- Stay calm. The first few hours following the discovery of a potentially damaging breach are critical, and you can undermine your organization’s well-intentioned efforts to minimize the internal and external damage if you allow yourself to be overcome by adrenaline, fear, or a misplaced need to seem bold and aggressive.
- Be prepared. It is an egregious failure of an executive’s or a board member’s fiduciary responsibility to not take the time and energy to prepare an action plan that includes steps to take before, during, and after a breach.
- Engage all key players well in advance. When a breach occurs, everyone must know his or her role—which requires that the right people are recruited for input on the plan’s development, for involvement in game planning the response, and for assigning the proper roles and responsibilities.
At the heart of every breach communications plan is what you do before, during, and after a breach hits. Being prepared is a critical component of your breach communications strategy, but what are the actual steps you should put in place?
Assign roles and responsibilities. Once you’ve engaged all key players from all key functional groups, you need to decide who is doing what. At this point, don’t worry about “committee creep” by including too many people. Some people and functions may participate in the overall communications planning, others may focus on a particular function. The key is crystallizing everyone’s role so that when a breach happens and time is of the essence, there’s no ambiguity around who does what when.
Take a broad view of your communications targets. Obviously, consumer, business, and trade media are important, but they are far from the only people and groups with whom you need to communicate. Regulators will also be keenly interested in the status of your efforts, the extent of the breach, and your plan to stanch the damage. If you’re a publicly traded company, stock analysts will be asking you questions while also answering others from the media about any potential impact to your stock price or competitive position. And don’t forget law enforcement organizations.
Identify and engage experienced third parties. Crisis communications firms, outside legal counsel, investor relations firms, and cybersecurity consultants all provide valuable perspectives from different areas of expertise. Undoubtedly, they’ve all been involved in similar incidents with other firms in the recent past, so they will be able to share advice based on real-world perspectives.
Pressure-test your plan. Okay, you’ve done everything listed above. You’ve got a comprehensive plan and everyone knows their role. Now what? Pressure-testing your plan is one of the most important things your organization can do before a breach hits. It could involve something as simple as tabletop exercises, where a pseudo-breach is assumed and everyone talks about what they are going to do. Or, it could be something more realistic, such as a full-on simulation where participants are not told it’s a drill and might do everything short of notifying law enforcement.
Determine how you will communicate. Depending upon the type and severity of the breach, your normal communications media—email, internet, even phones—may not be available to you, either because they have been damaged or their security has been compromised. Have a plan to utilize out-of-band communications and, even, engage in face-to-face discussions.
Keep the board informed. You’re not necessarily asking for their permission on any aspect of your plan, but there’s a good chance that some, if not most, of your board members have dealt with similar situations in their own organizations. Listen to their experiences and heed their advice about steps to take in developing a more effective breach communications plan.
Engage law enforcement. Not surprisingly, the increasing incidence of cybercrime has driven law enforcement agencies to treat digital crimes on the same level as crimes of the physical world—robbery, assault, and others. While schools of thought are divided on how proactive organizations need to be in involving local law enforcement when a breach occurs, it’s a smart practice to build relationships with law enforcement as part of your pre-breach planning.
We cannot stress enough how vital it is to have an honest, open, and brutally candid discussion among your executive colleagues about your breach communications plan. Cybersecurity is a leadership test—not a technology glitch. It demands the full attention and resolute commitment of both business executives and the board, and extends to their involvement in the development of a comprehensive and actionable breach communications plan, which is too important and complex to be left to a single individual to architect.
Cybersecurity isn’t a static state; your technology solutions are always evolving to meet the changing nature of threats and vulnerabilities. Your breach communications plan must be every bit as flexible, dynamic, and modernized as your technology infrastructure. If it’s not, fix it—and fast. It’s not an overstatement to say that your organization’s very viability depends on it. Thoughtful planning, regular testing, and meticulous execution of a breach communications plan will separate the industry leaders from those that become cautionary tales in the wake of a breach.
Robert Boyce and Justin Harvey are Managing Directors in Accenture Security. This article has been excerpted from Navigating the Digital Age, Second Edition.