by Jeff McAndrews, Partner, and Kirsti McCabe, Managing Director, Finsbury
Discovering that your company’s cybersecurity has been compromised is likely among the worst nightmares for any CISO. What do you do first? How do you share the news with the people who matter most to your business and the success of your operations? Where do you even begin?
As a CISO, your immediate priority will likely be to identify any technical issues that led to the incident and consider ways to track the culprit, minimize the impact to your customers and prevent further attacks. But another important point to consider is what exactly do you say about it? What role can the CISO play more broadly in supporting and informing those communications with internal and external stakeholders? What do communications professionals consider in making these determinations?
If we had an overarching piece of advice to share with companies on how to deal with the communications fallout from a cybersecurity incident, it would be this: Be forthright.
The potential for the disruption of IT systems, exposure of sensitive customer information or attacks on infrastructure are not just operational risks in today’s digital age, but reputational risks. Companies are routinely assessed on how they respond to such incidents and how they are able to minimize damage to customers, the business and the brand. A critical component of this effort is how they communicate about the incident with external stakeholders.
First – the world is not against you. Consumers expect companies to go to great lengths to secure their information, but they also understand that the landscape is complicated and that a cyberattack can happen even to the best of organizations.
The public is less understanding, however, when they think companies do not have a grip on the situation or are obfuscating the facts. People will be even less forgiving if the company tells them it has the situation under control and that the consequences of the attack are contained – only to find out later that things are actually much worse.
Against this backdrop, there are many steps you can take to help enable rapid, effective and accurate public communications in the event of a cyber incident.
Have a plan.
Before ever experiencing a breach, the most important thing a CISO can do to prepare for communicating about an incident is to ensure a robust rapid-response, notification and escalation plan is in place. Having this type of action plan in place will prevent you from having to decide what steps to take in real-time when trying to deal with the crisis, including what issues should be elevated to whom and when. It’s challenging to make the best decisions under such circumstances. Having mechanisms in place at the outset will help accelerate decision-making and support rapid and accurate communications. Development of such a plan should include:
Establishing a senior working group – including representatives from legal, communications, public policy, regulatory affairs, operations, human resources and the CISO – who will coordinate with each other on gathering the facts and developing internal and external messages in response to the crisis. The plan should provide a contact list to indicate how key people can be contacted after office hours.
Appointing a spokesperson who will explain what happened and what is being done to address the problem, and answer questions through public updates. The key people who will communicate with customers and internal stakeholders should also be identified beforehand.
Preparing in advance draft public statements, messages, questions and answers and other audience-specific materials, addressing various potential cyber incidents. These can be modified to include facts specific to the situation as the details become available, but thinking through and building consensus around a message platform beforehand puts a company ahead of the game when a crisis hits.
Creating a decision tree that clearly identifies who has the authority to make decisions on when to act or what to say.
Get out in front of the issue…
In general, it is always prudent to be proactive and disclose the issue to key audiences as soon as practical (unless there is a risk this will impede efforts to identify the perpetrators). It is better if you control the narrative rather than other actors, say, through an internal leak or a similar disclosure through an involved third-party. If you take too much time to disclose that there has been a security breach – especially in cases where personal or financial data may have been compromised – the perception of a “cover-up” can oftentimes be more damaging from a reputational perspective than news of the breach itself.
…but don’t overstate – at least until you have all of the facts.
It is important at the outset to be credible and demonstrate to critical audiences that you are on top of the situation as best you can. But if you don’t get your facts and your narrative straight, people may begin to question your credibility or your ability to manage the situation.
In rapidly evolving situations like a cyber breach, sometimes it’s better to acknowledge what you don’t know rather than overstate what you think you may know. Early on in a situation, sometimes the best you can say is that you discovered a problem, you are investigating it, you are doing everything you can to take countermeasures and you will provide more information when you have more details.
Resist the urge to make premature claims or promises. Do not rush to say only a few thousand accounts have been affected, for example, only to discover later that 20 million accounts have been affected or that significant personal or financial data were stolen.
Above all, being forthright and clear can play a critical role in helping reassure your external stakeholders.
Taking responsibility does not necessarily mean that the CEO, CISO or other pertinent officers of the company must resign or take other drastic measures. Rather, it may mean simply acknowledging the lapse, expressing regret for what happened, vowing to remedy the situation and taking steps to prevent a reoccurrence.
An early acknowledgment of accountability and visible efforts to contain the damage can go a long way in assuaging public concerns.
Know how to reach your customers and address their needs.
As a company manages and investigates a breach, it is essential to communicate concrete steps being taken to help any customers you may have, especially those who have been affected. Make sure that you do this in a manner that is simple and easy to access. One misstep during a recent cybersecurity issue happened when a company offered credit protection consumers had to pay for, aggravating the negative perceptions.
It’s also useful to provide platforms for consumers to elicit information and ask questions so they feel they are being heard. Before a real crisis, stress test these platforms, such as your website or call center, to ensure they work and have sufficient capacity for a sudden surge of activity.
Do you know where your customers turn to find news and information? Do they use a lot of social media? If so, tailor your messages and use these channels to reach them more effectively. If, on the other hand, they are inclined to use traditional channels, follow those as well.
Learn from the mistakes of others.
It is just as important to know what not to do. Consider lessons from other incidents.
Last year’s breach at credit rating agency Equifax is instructive. Company leaders had known about the security incident in July but did not report it until September. The initial estimate of the problem was inaccurate; the number of affected accounts ended up being significantly higher. When the company did provide consumers with an opportunity to get credit protection, consumers could not easily access these services, as the web site kept crashing.
These missteps stand as lessons for how not to respond during a time of crisis.
For security professionals and corporate executives, the fallout of a data breach can be severe. It can take a significant toll on the company’s reputation and operations. It can hit shareholder value and even trigger job losses as people scramble to lay blame. The good news is the story does not need to unfold that way. Many companies are able to recover from a crisis if they take responsibility, are honest with their stakeholders and deliberate with their actions.
Jeff McAndrews and Kirsti McCabe specialize in crisis and reputation management, financial communications and strategic media outreach at Finsbury, a leading global strategic communications firm.