Our thinking

The top 5 mistakes companies make in cyber crisis communications

Siobhan Gorman identifies the top mistakes that companies make during a cyber crisis and suggests how to avoid these pitfalls.

Originally published on https://www.cybervista.net/.

Experiencing a breach may not damage your company, but managing it badly in the public spotlight almost certainly will. The casualty list for mismanaged breaches continues to grow, most recently claiming Equifax CEO Richard Smith, and several others at the company.

Preparing in advance for a potential (likely) cyber crisis is, fortunately, becoming the best practice for corporate governance. But even the most-prepared companies can make mistakes in the white-hot center of a breach. Here are the top 5 mistakes we see companies make, when responding publicly to a cyber crisis—and what you can do to avoid them.

1. Providing numbers or breach scope details

We’ve learned through experience that the first numbers a company receives describing the volume of records affected in a breach are almost always wrong. Target’s initial estimate was off by 70 million records stolen. The Office of Personnel Management had to revise its 4 million records estimate to 26 million. Equifax recently revised its estimate up by 2.5 million records to 145.5 million. Each revision creates a new news cycle, and adds to a narrative of mismanagement.

2. Publicly attributing the believed source of the attack

Your customers, clients, employees, or whoever else was affected by a breach don’t care about who hacked you. They just want you to fix it. While naming a perpetrator may deflect attention from your company and prompt whodunit news stories, it will keep the incident in the news and overshadow measures the company is taking to address the cyber incident.

3. Ruling out data or systems affected (unless that data was never collected)

When trying to reassure customers and contain reputational damage, it’s very tempting to describe the data that is presumed untouched after a breach. Stating definitively that certain systems were not affected is very risky. We’ve seen that initial “facts” almost always change as an investigation proceeds (see #1), and often a forensics investigation will discover a hacker managed to worm his way across a company’s network in unexpected ways.

4. Ignoring media calls

The story will be written whether you respond to a reporter’s inquiry or not. I wrote many breach stories as a journalist, and if a company didn’t call back, I grew more confident—not less. Responding to a reporter is a company’s opportunity to demonstrate it is investigating or addressing the issue.

5. Focusing on media response to the exclusion of customers or employees

It can be easy to get caught up in the immediate public focus on a breach, but your customers and employees are what allow your company to continue to do business. They are almost always your most important stakeholders, and if you ignore them, they will hold it against you.

Avoiding These Pitfalls

So, based on our experience, here’s what you can do to avoid these pitfalls:

1. Prioritize your stakeholders

Here’s where planning in advance is critical. With smart scenario planning, you can understand in advance who your key stakeholders are—and then map out how you would contact them in the event of a cyber incident and what you would say.

2. Write all communications as if they will become public

Hackers, particularly extortionists, now do their own public relations. Assume any communication with them will be released. Employee emails, even the ones that advise avoiding media contact, often leak to the media or find their way to social media with snarky commentary. The same goes for customer or client communications.

3. Only provide data and facts you’re willing to stake your job on

Just ask the former CEO of Target, co-chairman of Sony, administrator of OPM, and CEO of Equifax.

4. Focus communications on the actions you’re taking

You can’t talk about numbers, because they’re going to change, but you can talk about the steps your company is taking to make the situation right for your customers (or other key stakeholders). Companies get credit for learning from their mistakes.

5. Take an action that demonstrates your commitment to improving cybersecurity

Even better than learning from your mistakes is demonstrating you’re part of the solution. Companies should take action internally to show they’re investing in, and possibly restructuring, their operations to bolster their security measures. Companies can also stake out a leadership role on cybersecurity within their industry to show how they are leading on the issue.

There is a range of steps companies can take well before a breach to position themselves to lead through a cyber crisis. You can develop a cyber crisis communications playbook alongside your cyber incident response plan and road test both in a simulation.

We’ve found that steps like these allow companies to work through tough issues and communications gaps in advance, so you aren’t forced to navigate those under the pressure of a crisis.