If 2017 taught us anything, it’s that the actions taken in the wake of a cyber incident impact a company as much, if not more, than the actual incident itself.
Sound a little extreme? Ask any customer, shareholder or executive at Equifax, Uber or Yahoo. These aren’t examples of technical responses that just fell short. They are examples of companies who greatly increased the impact on their organization by fumbling their incident response.
Whether by neglecting to notify customers in a timely fashion, providing incomplete or misleading information, lacking consistency or just appearing not to care, companies – of all sizes – are finally realizing that they way the communicate before, during and after an incident ultimately determines the cost to their organization.
There is no easy step-by-step guide to effective cyber communications. Every company is different, but there are three universal truths that should drive your planning and response process.
- Cyber Crises are Not the Same as Traditional PR Crises.
Before anything else, you have to understand that a cyber incident doesn’t work the same way as a traditional PR crisis – ie. a product malfunction or CEO scandal. Information does not flow the same way, and you have to establish a process for communicating updates in a way that projects reliability and transparency, rather than a sense that you’re changing your story. To account for this difference, your IR plan can’t just rely on the same old PR playbook.
- Trust is Everything.
Your business is built on trust. Whatever products or services you sell, people buy them because they trust you. When you fail to provide timely, accurate information, or your story appears to change over time, that trust begins to erode. Setting up an IR plan that effectively communicates transparency and security will ensure that when your system has recovered, people will still trust you enough to use it.
- A Good Response Starts with a Good Plan.
Any good coach will tell you that your performance on game day is only as good as your playbook and practice. Incident response is no different. If you haven’t already incorporated cyber communications expertise directly into your IR plan, a simple communications audit can help identify any vulnerabilities that could crop up during a response, and if you haven’t already scheduled at least one annual exercise to really practice your plan, this is the time of year to do it.
Overall, 2017 was a whirlwind of high profile data breaches and killer headlines. In 2018, you already know that you can’t prevent every attack, but by ensuring that smart cyber communications planning is incorporated into your incident response you can prevent yourself from making it worse.