What do Wonga, TalkTalk, Mumsnet, Ashley Maddison and Morrisons supermarket all have in common?
The answer is that each has been a victim of high-profile data breaches in recent years.
Most recently we’ve seen payday lender Wonga come under fire for it’s data breach that exposed the bank account information of over 270,000 customers to hackers. Most concerning is that the breach appears to have occurred some days before the company even noticed that its data had been compromised. A stern lesson in being prepared.
Whether an organisation is a website, media provider, dating platform or a grocer, the modern world means almost every company, charity or group, stores and uses the data of customers and users.
That data is precious to the running of the business, and the protection of it is priceless to the company’s reputation.
Take FTSE250 fixed line, TV and broadband provider TalkTalk. The attack it suffered in October 2015, saw its share price more than halving from its 2015 peak by the end of the year.
Chief Executive Dido Harding was left to concede the threat had not been taken seriously enough.
Clearly, the need is for companies to invest in the best protection technology and indeed technical brains in order to fight against data breach threats.
But what happens when things go wrong, and what role does Public Relations play?
In our new PHA Insight, we provide analysis and advice on how business leaders, working with their media teams, can prepare for what happens when hackers attack.
Creating plans and drafting battle strategies for crises should be a given by now. For a broader understanding on how to go about this, please read our previous Insight on the topic.
However, the nature of a data breach, unlike many crises, means you can also practice the execution of plans.
Mock scenarios and workshops.
These may take up to half-a-day to perform. However, when constructed and run in the correct way, they’ll ensure the crises team and the wider company knows exactly what each cog in the machine is doing in the face of a data breach and how they are communicating.
Sessions can be held around mock data breaches. In some you may wish to give team members advance warning that practice is taking place (busy diaries may require this) but do not pass up the opportunity to test with ad hoc sessions.
This wider practice will cut down on valuable minutes and means you will not have to hold a lengthy war counsel which would waste time should you be the victim of a cyberattack.
The legal view on this comes from Magnus Boyd, Partner at Schillings Law Firm, who says:
“An organisation is accountable for every minute from the point of detection. Effective cyber crisis management only comes about when the relevant team knows who are they are and what they need to do and that only comes from effective training and regular rehearsal.”
Practice should also include scenarios when none or few of the team are actually in the office or place of work – for example in the middle of the night or at weekends.
2: Educate with internal communications
Using internal channels to educate staff in the value of the data the company holds is a key requirement.
Everyone needs to understand the details being held by a company can be more important than bricks and mortar and fleet vehicles.
This is double the case when those details go beyond names, ages and addresses and begin to include bank details.
Magnus Boyd comments: “Too many assume data security is a purely technical function and consequently assume it is someone else’s responsibility.
“However, effective cyber security rests on a very human appreciation of the value of personal data and the costs and consequences of its loss. That is why we advise organisations to train a select group of people from across the business to become information emissaries.”
Mr Boyd adds: “For information to remain secure, it first needs to be valued. Only then will employees appreciate the need to look after it. Machines are not malicious and computers are not culpable. Ultimately, all data loss incidents include a human factor, which is why prevention requires a human-led solution.
3: Face facts
A data breach, depending on the size and scale, may not necessarily lead to media exposure or enquiries.
But because the media doesn’t know about it doesn’t mean you should not be communicating. There should be no burying heads in sand, hoping that the hack may not have caused much damage.
Customers need to be informed and they are the most important stakeholder in a breach. They need to be informed on how to take steps. As with most communications plans, the strategy needs to span all channels, including social media, letter, email and of course, your company website.
4: Utilise the media
As discussed, it could be that the media does not know about the breach.
That may depend on a number of factors. One is simply this:
Have the hackers told the media they have breached your company’s security?
If the hack has been achieved to gain publicity for a particular organisation, then it is a good bet the media has been informed.
If not, do you approach media with the news yourself?
- One advantage is that you are on the front foot, and can work to control the narrative, particularly in telling what legal/investigative measures you are already taking.
- It also promotes openness and transparency, and may help gain the trust of the regulator, the Information Commissioner.
- It heightens awareness.
- You will need to be in receipt of the full facts and figures
- Be prepared to receive a tough time from journalists, particularly if there is an air of the hack being down to poor security.
- Handling interviews should be part of the response plan.
Once again, practice makes perfect and media interviews can be prepared for in crisis media training. You will need to strike the right tone.
5: Prepare for responses from other stakeholders
One element you cannot control is the output of other stakeholders, be they regulators or customers, particularly corporate ones.
In some cases, they will be expected to state views/positions on what has happened. In some cases, they will be voice criticism and it is vital that contact is maintained with them as you do not wish to be caught cold.
Often a relationship between press teams can be valuable as it can mean your company being briefed on any statements/press releases which are being issued.
It is important to keep thinking ahead, beyond the data breach, and to provide important updates as and when you have them.
Published, 14th March 2016