When news breaks of a possible data breach in a major organization, we find that journalists, investors, customers, supply chain partners, and sometimes even Congress, press the leadership and PR team at the company for quick answers. Their common questions include:
- How did this happen?
- Did the attacker access sensitive data, like personally identifiable information (PII)?
- If so, how many records were raided?
- Who are the attackers, and what are they doing with the exfiltrated data?
- When did the organization find out?
- Who is at fault internally?
The pressure to quickly answer challenging questions like these is so intense, it cannot be overestimated. But the way an organization responds can be the difference between exacerbating the reputational and financial damages from a data breach, and mitigating them. The wrong response can even go so far as to aid the attackers.
With stakes this high, smart companies can’t wait until a breach occurs to develop a PR plan for this type of crisis. Rather, they include “communications planning” in their incident response plan. The precise details of what the company should communicate, and when, are kept flexible, but organizations should determine the basics in advance like who they’ll need to communicate with and what they’ll be asked.
The first step to creating an effective data breach PR plan is a stakeholder analysis. A stakeholder analysis begins with research to achieve a clear and complete understanding of who the organization needs to communicate with and what each audience’s unique interests and needs are. While there will be overlap, an audience of investors (for example) will not have the same focus or requirements as supply chain partners, customers, or governmental authorities.
Empowered with this intelligence, the PR team can then tailor its talking points to convey what is most important and top-of-mind to each party – an advantage which will maximize the impact and effectiveness of their message. This also allows the PR team to carefully plan how to reach each audience and who will speak to each one. The individuals selected to be on call for communications during incident response should then receive specialized training for these matters and should be given the opportunity to ‘rehearse’ their roles during periodic preparedness exercises that test the company’s overall incident response plan, including what not to say.
Filling in the Blanks
During a cyber incident, the PR team will be racing to fill in the blanks of exactly what should be said and when. These decisions shouldn’t be made in a silo. In an actual incident, most companies seek help from three sources: legal counsel, PR experts, and ‘cyber responders’, who are experts in identifying, containing, and remediating cyber breaches and the supporting evidence – and any PR effort must seek input from all three of these sources. This prevents talking points from, for example, violating legal privilege, and seeding misinformation about the investigation.
There is a substantial risk of doing harm by saying something that does not have credibility during incident response. For example, a company can state that it has firewalls and an incident response policy in place, but external validation of the effectiveness of these elements is expected by a smart audience – otherwise a statement like this generates doubt in the audience. In another scenario, if a public statement is made that lets the attackers know they’ve been spotted before they’ve been forced out, the attackers can do more to erase their tracks and will be inspired to steal more data more rapidly.
One of the most common errors in cyber-attack PR incident response is inaccurately proclaiming how many records were accessed. Fact-finding in complex breach investigations takes time. Communications should move quickly, but PR professionals need to have a strategy to deal with inquiries from stakeholders during the period needed to establish a factual foundation.
Responding to Your Stakeholders
In the event of a cyber incident, basic crisis communications guidelines should be followed:
- Don’t retreat into denial. Acknowledge there is a problem and control your message;
- Carefully assemble the facts and convey them in a straightforward, conversational manner;
- Designate one trusted professional as the spokesperson and have that individual speak on a regularly scheduled basis to stabilize contact with the press;
- Use dignified, jargon-free language and a serious tone that says, “We get it, and we’re dealing with the situation”;
- Don’t react in a defensive way. Go on the offensive when appropriate by introducing new initiatives that mitigate the damage and prevent recurrence.
This guidance is specifically relevant to PR efforts during an incident. However, organizations also need a proactive cybersecurity communications plan prior to any event, and much of the same preparation applies. Proactive and reactive PR efforts each requires its own PR plan and unique stakeholder analysis. In the best case scenarios, both plans should be developed in tandem. This ensures consistency and prevents the company from backtracking on proactive claims when reacting to a cyber incident. To build resilience against cyber threats, preparation for the worst always trumps simply hoping for the best.