How do you stop a cyber breach turning into a PR disaster? The answer is planning.
During a crisis you haven’t got the luxury of time to prepare statements, checklists, comms plans or handouts. You will not be able to respond, you’ll appear in a bad light on social media or in the press, you company’s share price will fall and heads will roll.
But it doesn’t have to be like that.
A good crisis management plan is more than just business continuity. Crisis management is about being able to do the right things, then being able to tell people what you’ve done.
Handling the press
The first rule of crisis management used to be “stay out of the press”. With the mandatory notification requirements of GDPR, which includes the need to notify the data subject in the event of a serious breach, this will be harder to do.
It could also be a customer that discovers something wrong – with a communication they’ve received or your website. With social media, customers can report anomalies to a wide audience quickly and easily – which then puts you on the back foot when a journalist calls out of the blue.
So what should you do when you receive that initial journalist phone call about “the big cybersecurity breach”? You may find this brief checklist useful:
- Stay calm!
- Establish some facts – what do they actually know? Are they calling on a hunch because they know you use the same software or supplier as another company that was attacked – or do they have a long list of customer complaints?
- Don’t launch into blanket denials. You only have to look to Intel to see what happens when you make early denials.
- Ask for the deadline.
- If necessary ask for an extension to give you time to investigate – a reasonable request. If they are not willing to extend the deadline, emphasise that early disclosure before you’ve had time to investigate could result in additional damage and/or losses which they would be held liable for, but at the same time offer more information in return for an extension.
- Carry out your investigation. Now is not the time to focus on who is behind the attack – what matters is who is affected and how.
- Meet the reporting deadline. Failing to meet the deadline will result in “we contacted company X but they declined to comment”.
- Minimise the impact. Explain how you are taking the correct action, in particular what steps you are taking to protect customers.
- Don’t report any numbers unless you know for certain that they are accurate and not subject to change.
- Be honest. You need to build trust and credibility.