Crisis Communications in the Wake of a Cyberattack

More than a decade ago, TJ Maxx experienced one of the earliest major credit card breaches, and it led to a significant negative impact on customer loyalty and profitability. Today, however, it appears headlines are littered with new reports of large-scale data breaches compromising customer’s personal and financial information… yet customers keep coming back.

What exactly are companies doing differently to maintain consumer trust in the midst of a virtual scandal? While there are many factors to consider, the way an organization responds as well as communicates appreciation and concern following a cyberattack are key.

What is Response?

One of the biggest factors that can make or break a company following a breach, or any other type of disaster, is how it responds. First and foremost, you need to be proactive.

Previously, I discussed the importance of having a breach plan as opposed to an incident response plan (IRP) – or a proactive vs. reactive plan – in terms of business continuity and disaster recovery. During a breach, a company will need to make critical decisions of what, how, and when they communicate, as well as how transparent they are going to be with both law enforcement and their customers. Having a plan in place will make these decisions much easier and hopefully minimize the damage to the business in the aftermath.

Any response plan, however, should not be a siloed effort. A breach does not mean it’s solely the security and operations teams working through the issue. A response should be handled as a business issue that needs to be communicated correctly and effectively. On that note, your legal department and communications team should be in step with one and other to develop and convey a clear message about what has happened and, more importantly, what’s being done about it.

The only thing that might make communication difficult is, of course, compliance requirements. It’s a security person’s job to highlight the risk, but it is the legal department’s responsibility to provide an opinion on what to do from a risk perspective. Which is why your team should rehearse during response planning to ensure everyone understands their roles in the event of an actual breach. This should include C-level executives and department heads that may be pertinent.

The world of cybercrime is moving so rapidly that today’s threats won’t be the same as tomorrow’s. Keeping your response plan up-to-date to reflect the current cyber threat landscape is critical to effectiveness. Talk to peers and be mindful of the latest trends to prepare – this type of information-gathering and sharing is essential to stay ahead of the next threat.

The Long-Term Impact

Time and again we’ve witnessed the long-term impact a security breach can have on the reputation and profitability of an organization. According to a study conducted by Centrify and Ponemon Institute last year, stock prices typically drop an average of 5% when a data breach is disclosed.

However, the study also found that companies with a strong security posture are less likely to see a decline in stock prices and can maintain customer loyalty and trust, as they are better equipped to respond to the data breach. In contrast, those lacking in security posture at the time of a breach and who fail to quickly respond, experience a decline in stock price and are more likely to lose customers.

Of course, the size of the organization affected should be taken into consideration. Throughout the past several years we’ve seen large corporations such as Target, Home Depot, Uber and Game Stop experience data breaches that have had very little business impact – they’ve moved on. However, small- and medium-sized businesses are at much greater risk and cannot afford a breach. As you’re building your company and trying to build reputation, any bump in the road can shut down the whole operation. Therefore, a well thought out response plan and early execution is critical, not only for small companies, but also large enterprises.

Regardless of size, the same Ponemon and Centrify study showed that 71% of CMO’s believe the largest cost of a security incident is the loss of brand value. Putting security controls around your sensitive data is as necessary as locks on your house. As soon as you have something to keep safe, it needs to be protected.

Approaching Response as Crisis Communication

Just as you’d have a crisis communication plan for physical damage, having one in place for a breach is equally important. Cybercrime is no longer viewed as a “small” concern for organizations but instead now evaluated to be as damaging for a business as a hurricane to a city.

As cybercrime has become more and more sophisticated over the years, it’s something we must be aware of from multiple layers:

  • A sovereign state perspective – we now have true cyberwarfare where state-sponsored attackers are able to knock out an opposing countries power grid and potentially influence voters during an election.
  • Organized crime – Threat actors can easily manipulate their way into stealing millions of dollars or records through social-engineering tactics.
  • Less sophisticated attacks – This is most of today’s cybercriminal population going after both individuals and organizations.

It’s necessary to understand each of these layers to appropriately design your response to a certain type of adversary. Mom-and-pop shops don’t necessarily need to worry about cyberwarfare, but they do have to be concerned about the less sophisticated attacks. With this, it’s imperative to have a solid crisis communications plan in place, considering every angle and outlet necessary to deliver your message, e.g. website, videos, social media, press release, etc. Gaining an outside perspective and guidance from marketing consultants and/or public relations agencies can help fully round out your response and communications plan before any such breach or attack occurs.

Ronald Reagan once said, “we don’t negotiate with terrorists.” Cybercriminals are just as much a terroristic force as the ones President Regan was referring to, and to pay off a threat actor is no way to appropriately respond.

At the end of the day, the best way to overcome a breach is to anticipate and plan accordingly. Companies that knee-jerk a response to quickly communicate typically run into larger problems once the full story comes to light.

An excellent resource for getting started on your crisis communications, visit Communicating a Breach.

For more information on how you can approach response to data breaches and cyberattacks, watch our webinar, “When Disaster Strikes.”

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals