Data disaster Data theft - this is how crisis communication works. The nightmare for every company: a cyber attack resulted in a data theft. How can this worst-case scenario, not to mention the financial and material damage, be overcome in terms of communication without losing customers or shareholders?
In a discussion, Sophos and Associate Professor Jason RC Nurse from the University of Kent developed important answers and a guide to this essential question. When the IT security meltdown has occurred and cyber criminals have been able to steal large amounts of company data, forensic questions such as uncovering the gateways and the hackers' approach in the network are of course very much in focus. When it comes to responding to data theft, one important point must not be forgotten: What do I say to the public and how do I communicate it? A cyber attack is always an unwelcome surprise. But with appropriate preparation and a well thought-out reaction, the relationship of trust with customers and the public can in many cases be maintained.
As part of its cybersecurity summit, Sophos spoke to associate professor and cybersecurity specialist Jason RC Nurse - associate professor of cybersecurity - about the communication strategy for a data theft.
Communication strategy for emergencies
The amount of work involved in preparing for a data theft is critical, but many organizations overlook this prep phase - at least when it comes to communication strategy. In order to react effectively to a data breach, the company must determine in advance who will speak in public, how customers can best be reached and which general communication regulations apply.
The list of those who speak in public should be as small as possible - ideally a maximum of two people “with importance”, because journalists want an expert or a manager. This ensures that the message remains consistent and that confusion is eliminated. It is helpful to anticipate possible questions from the press, shareholders or customers and to have compact answers ready. This master plan should be drawn up for various security incidents and kept up to date with regular reviews.
In addition, these regular test runs ensure that every employee knows their responsibilities and knows who they are allowed to talk to about what.
Disclose or keep secret?
Sincerity remains the best strategy for corporate incidents, unless otherwise required by law. If the company decides to keep it confidential, there is always the risk that the incident will come out later and the damage to its image will be even greater. In addition, those responsible must not underestimate that the stolen data can end up in criminal online markets and thus become public.
To take responsibility
When a cyber attack has taken place, those affected quickly become tempted to portray themselves as victims. And although this is entirely true in a technical sense, the public often judges such behavior negatively. Anyone who, as an organization or company, is entrusted with or works with personal or other important data is responsible for protecting this data. Therefore, companies should understand the dimension of data theft from the customer's point of view, take responsibility and communicate quickly, clearly and objectively how to react to the data theft.
Brief guidelines for crisis communication
- Reply quickly. Often there is only one opportunity to make a first impression and it should be trusting. Good preparation facilitates an immediate response that is measured and accurate.
- Deliver a clear message. No technical jargon when addressing customers, shareholders or the general public. Direct and emphatic communication is far more effective.
- Use a single source. Communication via various news areas or social media channels in the company can quickly dilute what is actually a clear message. A single and up-to-date statement directly from company management via a company channel helps to get the message across clearly.
- Take responsibility. Shareholders, customers and the media reward companies who stand by their mistakes.
- Keep everyone involved informed. Draw up an action plan so that shareholders and customers can also be competently informed after the first “going public”. In this way, the good relationships that have often been built up over many years remain intact.
Background on Jason RC Nurse: he is Associate Professor of Cybersecurity at the University of Kent and Visiting Fellow at Oxford University. His research focuses on the socio-technical aspects of cybersecurity, privacy and trust. He has incorporated his years of research into an evidence-based reference system that works out the best way to deal with potential damage on the relationship level that accompanies a cyberattack.
The conversation with Professor Nurse is also available as a video.
More on this at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.