Crisis management, or how you handle corporate communications in the face of disaster, is a well-known set of practices. You bank on being transparent, getting out ahead of the story and taking care of the situation as best as possible. It's about doing whatever it takes to avoid reputation damage. Cyberattacks are increasingly becoming one of the many potential crises organizations can face. If your company is targeted by hackers, there are several key steps you should take to minimize the impact. However, you should also establish a proactive defense before something happens.
Line up Legal Help
First, have a lawyer with data and privacy law expertise on speed dial. Statutes and regulatory demands in the case of lost data are fragmented and complicated. Different states in the U.S. will have varying disclosure requirements. Depending on where and how you conduct business, that could easily mean having to satisfy any number of demands. Lawyers should know how to tackle these.
Additionally, companies doing business abroad should seek international legal help to deal with foreign data law policies. Laws in the European Union are generally more stringent, and individual European nations may have additional requirements to meet. Similarly, Asia and other parts of the world have unique regulations, many of which are still developing. Your legal advisers must be current on changes around the world. Because global legislation tends to focus on consumer data privacy, there may be a separate set of requirements if your company is B2B focused.
Be Ready to Calm Customers
No one wants to hear that criminals have stolen their personal information. If a breach happens, you'll need to help these customers and let them know that you're still in control of the situation. Start communications as early as possible, because companies have been criticized in the past for not mentioning a breach until months later. However, know the facts first — getting customers into a panic over what might turn out to be a relatively small issue does no good. Have your technical team and outside consultants identify the extent of the breach as soon as you learn about it. Give an early heads up to customers that there may have been a problem and update them regularly.
You should also set aside customer resources. Prepare a portal for online information and people to take phone calls and reassure customers. Have pre-existing agreements with a data monitoring and protection service to extend coverage to those affected. Being proactive protects your reputation and makes your services more valuable.
Repair Your Reputation
Any breach can cause damage to your company's reputation. If data loss happens, crisis communications will have to include marketing efforts to redeem the business's name. Focus on building brand image and examples of the company's innate trustworthiness. Mistakes can happen to anyone and anything; people understand that. However, customers also want to know that the problem is a fluke and out of the ordinary. Subtly remind them that your company is sound, careful and concerned.
Devise Joint Action With Business Partners
Companies are tied in electronically through supply chains, distributors, resellers and other business partnerships. Therefore, an attack on one could be a problem for all. Bring your partners onto your planning and response team so that any breach or malware can be contained as effectively as possible. Some of them may be able to do very little, but communication and cooperation go a long way to rebuild trust.
Recognize the Magnitude
You may wonder why huge companies don't often address their cybersecurity issues. The reason is that the impact from most breaches is actually very small. According to the Ponemon Institute, which studies data breaches and cybersecurity, the average attack among surveyed companies, which ranged in size from $100 million to several billion, represented only 0.18 percent of annual revenue. Yes, it's a financial loss, but a tiny one.
A company has a 22 percent chance over a two-year period to lose at least 10,000 records, which is no small probability. But multiply that by the average cost of a breach, $3.5 million, and the risk-weighted average annual cost of a breach is about $385,000. You don't want to see that drop off the bottom line, but as far as expenses go for a middle market company, it's not a killer. Even reputation problems vanish, though customer bases do take some rebuilding. Ponemon studied Sony's reputation daily after its major gaming network breach a few years ago. After 171 days, or less than six months, the company's reputation was back to where it had been before the attack.
However, that doesn't mean you can ignore a problem. Data breaches still require effective crisis management to minimize associated costs and public relations nightmares. But reducing unnecessary worry can help you approach the problems with a clearer head and respond more efficiently.
Has your company ever experienced a major data breach? How significant was the impact, and how long did it take you to rebuild? Let us know by commenting below.
Erik Sherman is an NCMM contributor and author whose work has appeared in such publications as The Wall Street Journal, The New York Times Magazine, Newsweek, the Financial Times, Chief Executive, Inc. and Fortune. He also blogs for CBS MoneyWatch. Sherman has extensive experience in corporate communications consulting and is the author or co-author of 10 books. Follow him on Twitter.