No matter how many security precautions a company takes, sometimes there’s no way to avoid a cybersecurity breach. No security plan is foolproof. Hackers will always find some way to exploit the company’s infrastructure or its employees. That’s why companies need to improve their crisis management and be ready.
So while a good security system is essential for every business – big or small – having a crisis management plan is just as important. This plan should always include how the business will communicate a breach to everyone. Think about clients, shareholders, the media, and other stakeholders. Even if a company lacks a solid pre-made plan, there are still some basic communication steps that everyone should follow. Let’s take a look at these now.
The Rise in Cyber Incidents
Sadly, the number of cybercrimes has lately ramped up considerably. A combination of the increased focus on IT projects and remote workers are big factors, as is the increase in complexity of hacking attempts.
With this in mind, companies should not wonder if they will be attacked. They should instead start considering what happens when it succeeds. If it happens tomorrow, will the company be able to handle the situation and recover? What can the company do today to make security even tighter?
Using a Different Approach
Remember that cybersecurity needs a holistic and consistent approach to keep systems secure. Keep employees and their behavior and devices in mind, too, especially remote workers. Get tools like a VPN service installed, if necessary, to add another layer of protection.
This article is about communicating after a breach has already happened, but preparation is always the best defense.
Act Quickly During Your Crisis Management
Usually, when a new breach has been discovered, things are still new and chaotic. The company usually doesn’t have the information about the scope of the breach yet or an idea of everyone affected. But even if it’s still a developing situation, the communication process should already be underway.
It’s crucial that the first time people hear about this breach, it’s directly from the company. If an insider or employee should expose the “secret” first, it could do even more irreparable damage.
Try to Establish Some Facts First
It may take months for every relevant detail to be discovered, but the company can’t wait that long to talk about it. Things can be quite disorienting and uncoordinated at first. Yet, it’s essential to handle the facts as soon as possible.
Try to keep a log of what has happened and any developments that occur. Also, rearrange these facts in an easy-to-understand order. Then use that as the basis from which the company will decide what to communicate to the outside world.
Before releasing any information, inform your crisis team of the breach first and have a meeting with IT and the company’s CISO. This is an essential step. Sometimes there is sensitive information about a breach that you shouldn’t release to the public yet. IT or the CISO will be able to help identify what information is safe to release.
Also, keep in mind that there will be many questions from the media, clients, and stakeholders. It’s better to have at least a few answers ready for them than vague or replying with “We don’t know” to every question. That doesn’t mean saying “I don’t know yet” isn’t allowed at all, as people do expect honest and open communication. But they also want to know what’s going on and what the company is doing about it.
Who Should Be Notified First
Does the company send out a notification to clients or stakeholders first? Maybe employees should know everything before everyone else? When it comes to letting people know about a data breach, it’s better to let everyone know at the same time so you control the message. Otherwise, it comes across as if the company is trying to hide something. Or, even worse, someone can spread false information through other parties instead.
Provide ongoing updates as the situation evolves and new information comes to light. This helps to maintain trust. Yet, people don’t necessarily need to know about every new development.
Offer to Help
If the breach involves your clients’ data, reach out to them with support. It doesn’t necessarily have to be financial restitution. It can also be helpful advice on what they should do next to secure their accounts and devices.
For example, you can inform your clients about:
- Financial restitution
- Advice on securing accounts
- Password creation advice
- Advice on legitimate communications from the company
- Free credit rating agency membership
The Bottom Line
Cyberattacks have ramped up in the past couple of years. It has happened even more so during the pandemic. Nothing highlights this more than the recent string of recent federal agency security breaches.
A data breach and the ensuing PR crisis can result in a lot of panic and confusion, especially when the company is not prepared.
Don’t wait until the crisis has hit to start thinking about what to do. Start preparing now by setting up a crisis communication plan.
NordVPN is a virtual private network (VPN) service provider. It has desktop applications for Windows, macOS, and Linux, mobile apps for Android and iOS, as well as an application for Android TV. Manual setup is available for wireless routers, NAS devices and other platforms.