August 01, 2018
Comms Best Practices
/ by Cision Contributor
According to data from the World Economic Forum, on average, more than 25 percent of a company’s market value is directly attributable to its reputation. And a Deloitte report establishes that reputation risk is a top strategic risk for organizations. What very few organizations realize, however, is how much of a role security disasters play in influencing an organization’s reputation.
As an organization, it’s very important to realize this fact: experiencing a security disaster is inevitable. You can’t avoid it — or at least you shouldn’t assume that it won’t happen.
Recently, it came to light that every single user account at Yahoo! was compromised during its last security breach — affecting over 3 billion user accounts. eBay was also in the spotlight a while back after it came to light that about 145 million user accounts had been compromised. Target is another high profile hack that comes to mind — with over 40 million accounts compromised.
If these mega-corporations, some with entire security teams filled with the best in the industry, can be hacked, then businesses of all scales should expect to experience a security breach at some point.
What is most important, however, is how these security breaches are handled. According to a study of 2,300 businesses by IBM and Ponemon Institute, it will cost the average business about $19.6 million to address security disruption within a two-year period — and 75 percent of this expense will go to reputational damage and the bottom line.
If security disasters are inevitable, then how can you save your organization’s reputation in the event of a security disaster? You can have a PR strategy tailored towards dealing with security disasters. Here are five tips for handling security disasters in your organization:
According to Melanie Thomas, an expert on privacy and security-related incidents, the biggest mistake organizations make that affect their PR efforts during a data breach is a lack of preparation. “People falsely assume that they’re prepared because they ran a drill four years ago,” she says. “They also assume they’re insulated from a crisis like a data breach because they have a solid IT team. Worse still, they think they can figure it out at the time a crisis hits. That’s like playing roulette.”
It doesn’t work that way. If the security breaches Yahoo!, eBay, and Target have experienced is any indication, it’s clear that having a solid IT team won’t insulate you from security breaches.
According to Thomas, security crises can take many forms. While it could be an ordinary data breach or cyber attack, it could also be due to any of the following:
This quickly brings to memory an incident in which an ex-Hostgator employee was able to compromise over 2,700 servers belonging to the organization. Even though the employee no longer worked with Hostgator, he had installed a backdoor on these servers over the years and simply made use of this access when he was dismissed. Hostgator would later prosecute this ex-employee, but it would have been much better if they had anticipated this.
Regardless of the source of your security disaster, the first step towards being able to effectively protect your reputation is to be prepared. Anticipate all forms of security disasters and prepare a sort of “PR response plan” in the event that they happen.
When dealing with a security crisis, you almost can’t do right from a PR perspective. If you respond too fast before you have the facts, you could put yourself in trouble. If you respond too late, however, and word gets out from an unofficial source, all trust could be lost in you. According to John Mason, a cyber security and VPN expert, and founder of TheBestVPN, the best solution is transparency without being too hurried. “Let people know something has gone wrong, that you’re in control of the situation and are committed to keeping them informed, and that you’ll communicate further as soon as you have all the facts.”
Mason advises against delaying communication when there is a security breach. “It isn’t easy, but it will be worth it. Delaying like Equifax did — taking six weeks to inform users after discovering the breach— can quickly backfire,” he says.
At the same time, don’t be too hurried: while keeping people informed, only disclose facts you have. During Target’s security breach, they disclosed information underestimating the number of users affected, failed to take responsibility and later revealed that more people than initially stated had been affected. This sent a message that they weren’t prepared for the situation and are incapable of addressing it. They paid dearly for it – stocks tumbled, their CEO was fired and they became the victim of a class-action lawsuit.
It’s not easy being CEO when you find out that 145 million user accounts have been compromised. In situations like this, knowing how to pass across this message to stakeholders and the public can be difficult, but you must communicate. More importantly, you must ensure you are controlling the narrative while communicating.
Here are some tips to help you control the narrative while communicating a security disaster:
Depending on the size of your organization, you should expect to be overloaded during security disasters. Whether it is in terms of requests for information from users or the media, you must be prepared. This shows commitment towards addressing the disaster and reduces the chances of your position on the issue and capability to address it being misrepresented. Here are some ideas:
When there is a major security disaster, people want to see a face communicating to them the nature of the incident as well as measures taken to address it. As much as possible, it is important to note the following:
You can’t hide from a security disaster— not forever. It happens to the biggest and the best, and it will most likely happen to you too. What really matters, however, is what you do after the event to allay users’ fears and communicate being in control. The above are five PR tips for dealing with security disasters in your organization.
John Stevens is the founder and CEO of Hosting Facts. You can contact him directly at John@hostingfacts.com
Get the latest updates on PR, communications and marketing best practices.
Keep up with everything Cision. Check here for the most current product news.
Thought leadership and communications strategy for the C-suite written by the C-suite.
A blog for and about the media featuring trends, tips, tools, media moves and more.
1-312-922-2400from 8 AM - 5 PM CT