You know the drill. It is no longer a question of if your company will become hacked or breached, but when. According to the Identity Theft Resource Center, as of 11/8/2016 U.S. companies have endured 858 breaches this year, with close to 30 million records exposed. The center determined that the top three sectors prone to breaches are business (44.8%), medical/healthcare (35.7%), and education (8.6%).
Larger companies can usually weather a data breach storm. They have adequate infrastructure, resources, in-house strategists, crisis response teams, and outside consultants. But what about small and medium-sized companies?
Their small size does not keep them under the radar, as cybercriminals do not generally discriminate–they simply seek a vulnerable target. Their sole purpose is to access privileged information they can sell or exploit to achieve their own nefarious objectives.
When a small or medium-sized business succumbs to a breach, clear, focused communication is vital. Miscommunication can seriously degrade, or even destroy, the public’s perception of the breached company or organization. During a challenging situation such as hacking or data theft, public relations (PR) becomes one of the most important functions of the company. Indeed, PR is vital to building a company’s reputation even when business is going well. But once a crisis breaks, the very life of the company depends on intelligent, honest and sustained public relations.
While some small and medium-sized companies have active public relations programs in place, many avoid implementing proactive campaigns. Why? Public relations is often erroneously perceived to be an expensive luxury—as opposed to the cost-effective necessity that it is. PR is easily misunderstood by some; it takes time to understand what PR delivers, how it works, how the benefits outweigh the costs, and how investing in PR actually saves companies money and helps them grow over the long term.
As the rate, type, and intensity of data threats rages on, confidence levels are weakening. In the Ponemon Institute’s recent fourth annual data breach preparedness survey, only 27 percent of respondents said they feel that their organization “is confident in its ability to minimize the financial and reputational consequences of a material data breach.” Thirty-nine percent characterize their organization as “effective at doing what needs to be done following a breach to prevent the loss of customers’ and business partners’ trust and confidence.”
Since data breaches will continue to be relentless, small and medium-sized companies need to understand and embrace the crucial role PR plays in optimizing communications during the full life cycle of a data breach. The following five strategies serve as a “starter course” for small and medium-sized businesses seeking to improve data breach communications:
1. Be data breach communications ready before the breach–Seriously, be prepared!
A small or medium-sized business may not need a full-fledged and permanent onsite cybersecurity team to prepare for a data breach. But it does need to put a proactive PR campaign in place before a breach hits.
It also needs to develop a specialized crisis communications plan that is data breach scenario-specific. A social media component must be included in this plan. Individual roles and team responsibilities should be clearly defined and understood in advance. Business continuity and disaster recovery plans must also be put in place in line with all pertinent standards.
All appropriate policies and procedures should be ready, with relevant third-party specialists on board. It is important to test and exercise all plans, policies, and procedures. Consulting outside experts for advice can really pay off during this readiness phase.
This basic level of preparedness will ensure that a company will be ready, able to respond, and prepared to reassure all stakeholders should their data be compromised.
2. Know your legal obligations before the breach
Large and enterprise-size companies benefit from having in-house council, with unlimited access to onsite legal consultation. They also often work with external law firms, sometimes on retainer.
Smaller companies should spend some time before a breach occurs researching and discussing compliance requirements with their lawyers, for as soon as a data breach is discovered, most companies are legally obligated to communicate publicly about the incident. Legal and compliance requirements exist in almost every U.S. state. In some breach scenarios, proactive communications may not be necessary–but only a company’s legal advisors should make this determination.
Breach management becomes more complicated when smaller companies have a footprint in more than one state; for example, what are the requirements if your head office is in Manhattan, your West Coast office is in San Diego, and you just opened a new office in Santa Fe? All three have different requirements; in fact, New Mexico currently has no legal communication requirements at all (at the time of writing this article).
Small to medium-sized businesses will need to communicate with great care during and after a breach, and PR is a strategic, cost-effective, and central conduit for this vital process.
3. Realize employees may speak to the media–even when they are told not to
Many company executives think that if their employees are warned not to speak to the media, they won’t. The truth, however, is that while companies have every right to order employees not to speak to the media, it would be naïve at best to expect that all employees will comply with this request.
Employees usually speak to the media for five main reasons. These include, but are not limited to, being unaware of the company press communications policy; having an ax to grind with the company; feeling the world needs to know about a misdeed; disapproving of the way the crisis is being managed; and finally, being “ambushed” by the media and spilling the beans without even knowing what they are doing. Solid in-house communications well ahead of a breach can go a long way to keeping employees loyal during potentially disastrous scenarios.
4. Expect a rocky ride
A crisis is like a roller coaster with sudden twists and turns. It can change unpredictably, intensify without warning, and resist all attempts to stop or control it, no matter how prepared you are or how much you know.
Sometimes companies who have crisis plans in place lament, “Why is nothing working?” They blame crisis communications consultants because they assume that the data breach crisis plan should fix everything instantaneously. They blame the media for attacking them, when all the journalists are doing is reporting the news.
The reality is simple. Crises of all types are totally unpredictable. New events and obstacles pop up all the time with the potential to change the course of events, slow them down, speed them up, or make them go away.
To smooth out the bumps in what will certainly be a rocky ride, be prepared, understand that stress and pressure will intensify, and call on in-house and outside experts for guidance and support. Stay flexible so you can change plans and directions with ease. The key to successfully navigating the ups and downs of a data crisis is developing carefully considered plans that can roll with the punches, and making sure your executives and crisis management team not only anticipate sudden and illogical change, but expect it.
5. Repair your brand
When a data breach is finally over, many companies understandably just want to get back to business as usual. Of course a business needs to continue operating and providing goods and services. However, returning to normal also means a company needs to nurture and restore its relationships with customers and partners who were impacted and affected by the crisis.
Apologizing is a good start, and ensuring the breach does not happen again is even better, but do not neglect to check in with affected parties from time to time. Reassure them and give them opportunities to continue asking questions. Earnest, consistent communications and a customer-centric approach are critical components to effectively communicating during a data breach and reestablishing brand trust and brand engagement after a breach hits.
Fortress Strategic Communications recently launched a data breach communications solution called 3R. For an overview, please click here: https://goo.gl/tffyHw And to review the launch press release please click here: https://goo.gl/cS4WpW
A detailed PDF about Fortress Strategic Communication’s 3R data breach communications solution is available on request. Please e-mail: firstname.lastname@example.org
About Fortress Strategic Communications:
Fortress Strategic Communications provides specialized strategic public relations and crisis communications consulting to companies that offer products, services, and solutions designed to manage and mitigate all types of risk. FSC also provides market specific solutions for data breach events and counsels startups looking to enter the risk management arena. The company draws on their executives’ combined 20 years of global experience in a broad array of vertical markets. For more information please visit www.fortresscomms.com
Evan Bloom, CEO