It seems like every month another household name is involved in a major security breach that compromises customer and employee data. Target, Anthem, Sony, JP Morgan Chase and eBay immediately spring to mind. They are all joined by other retailers, healthcare organizations and even government agencies that have been victimized. These companies are large enough that they will likely survive the financial and PR ramifications of these lapses but smaller organizations, ones more like yours, may not. The good news is that these big outfits have created somewhat of a road map for how to respond in the event of a security incident. The bad news is that they’ve done it largely by making mistakes. Here’s what they’ve taught us.
Often customers are more upset by the response to a security breach than the breach itself. This was certainly the case with Target. Data and security blog KrebsOnSecurity publicly reported the breach before it was acknowledged by the company. In the eyes of the consumers, this lack of transparency turned Target from the victim to the bad guy.
“The fact remains that Target was behind when this first broke,” Levick strategic communications firm’s Jason Maloni told the Minneapolis StarTribune. “Anytime you are not controlling the release of information, you lose the opportunity to cast yourself in the role of the hero rather than the villain.”
After a breach that resulted in 4.6 million user names and phone numbers being leaked online, SnapChat CEO Evan Spiegel was roundly criticized for refusing to apologize to users. Fortune magazine, echoing the point that the response was worse than the breach, even questioned his fitness to continue running the company. In a strange bit of irony, the lack of apology became the story, keeping the data breach in the news longer than it would have been. Your organization is responsible for the data it collects. If it is compromised, finger pointing and writing it off to the fact that “businesses of all types are susceptible to hacking,” won’t do. Say, “I’m sorry.”
The worst time to buy flood insurance is right after a flood. Likewise, your crisis PR planning should not happen during the crisis. It is important to have a plan in place that covers all of your communication channels and assigns responsibilities for every aspect of damage control. Even large companies like Target sometimes fail to get this right. Long waits for customer support representatives and a disastrous social media response in the aftermath of the security breach announcements were surely signs of lack of preparation.
After eBay experienced a breach in which an attacker had complete access to their network for 229 days, the company’s response was a perfect example of what not to do. One of the chief mistakes was simply asking customers to change their passwords without mentioning whether financial information had been compromised. After a security incident customers should be given as many details as possible so that they can assess the overall risk and evaluate the steps they should take to protect themselves.
Solve the Problem the First Time
It is amazing how many of these high profile attacks are second strikes. In September of 2014, Home Depot confirmed that a whopping 56 million credit and debit cards were affected by a data breach, then just a month later, they disclosed that hackers had also stolen 53 million email addresses. Before the attack on Sony the company agreed to a $15 million preliminary settlement in a class action lawsuit over its 2011 data breach, which led to the theft of names, addresses and possibly credit card data belonging to 77 million PlayStation user accounts. Data security is difficult. Bad actors are constantly coming up with new ways to gain unauthorized access to systems, but the level of difficulty does not relieve companies from the responsibility to protect the information with which they are entrusted.
Your business is probably not as attractive a target as these huge companies to hackers and thieves, but you can still learn from their experience and be well prepared if disaster strikes. The key is fast, honest communication backed by the necessary actions to restore the trust of your customers.