“Data breaches have become the leading risk to data and privacy in the last 10 years, and there’s no sign of an end.” This ominous statement from the Avast Business Threat Landscape Report for 2018 isn’t hard to believe. In 2017, there were more than 2.5 billion publicly disclosed data breaches, an 88% increase on 2016, and more than 7 million data records were lost or stolen every single day.
While many businesses will set about increasing preventative measures and cyber security defences, creating an incident response plan can often be left off the list. There is an underlying hope or assumption that ‘it won’t happen to us’, and feeling that the time and energy spent creating a crisis response strategy could be better spent elsewhere. But when data breaches happen – in ever-growing numbers – having a planned response can be the difference between a PR catastrophe and a chance to increase customer trust.
The good, the bad and the ugly
There have been a number of well-reported data breaches in the last decade, from Target to Sony and the NHS. In some cases, customers have found out that their data has been compromised by picking up a newspaper or watching television, long before the company responsible for that data had gotten in touch.
Target’s infamous 2013 breach, where 40 million customer credit and debit cards were compromised, has become an example of what-not-to-do in crisis management. Without pre-planning, the decision was made to not publicly announce the breach – details of which were leaked to the press.
Customers finding out about the issue from third parties began calling customer services only to find that the phone lines were jammed, because there wasn’t a dedicated crisis line ready to take the strain. Rather than reacting to their breach with speed and transparency, Target created a widespread feeling of confusion and mistrust by trying to brush it under the carpet.
According to the Deloitte Privacy Index, a third of people who find out about a data breach from the company under attack actually report improved trust in that organisation as a result. The longer the time period between a data breach happening and a business announcing it, the larger the risk that someone else might start spreading the word for you.
With the implementation of GDPR, additional care needs to be taken with regards what information is revealed about a breach. The public announcement should provide general information about the type of data that is affected and confirm if payment or personal data is involved. This is key to provide reassurance to customers. However, any information that could impact the security of systems in the future should not be publicly released and specific details should remain private until investigations into the breach are concluded.
An effective crisis response
Larger businesses may be just about able to take the financial hit that comes with a major data breach, but smaller and medium-sized operations can find their revenue and customer relationships so damaged that they are forced to close. 52% of small businesses experienced a cyber security breach in 2017, but only 14% had incident management processes in place.
Just as preparation can help to prevent a successful attack, it is also a crucial fixture in damage limitation when a data breach does occur. SMBs are increasingly likely to educate their staff in device security and to invest in cyber security software as a precaution against malware and ransomware, so why aren’t they creating action plans for what to do if a weak link is exploited?
Companies should consider the types of breach that could occur, and prepare at least a basic set of guidelines for what to do in such an event. This could be having a webpage on standby to offer information, press, social and email statement templates, and the basic task of allocating response roles so that staff know who is doing what. For SMBs who outsource PR tasks to an external agency, crisis management should be a part of that collaborative work.
Whether you have five staff or fifty, clear communication helps to ensure that everyone knows their role and that the message delivered to clients and other parties is clear, leaving no room for misinterpretation or mistake.
When considering the kinds of data breach that might affect your business, it’s important to reflect on where the potential weak points in your security might be.
For many businesses, it’s employees themselves that create gaps in cyber defences – whether intentionally or unintentionally. Weak password choices, falling foul of phishing emails, connecting to work networks over unsecured Wi-Fi, and deliberate malicious activity are all risks that need to be considered.
It’s also important to make sure that individuals feel they can be honest and open in admitting that a breach may have occurred, or that an error has taken place which could lead to a breach. If employees fear repercussions and try to hide security incidents, a breach can escalate and lead to much larger problems than if the issue was communicated and quickly contained.
As well as investing in proper cyber security software that can weed out spam emails, identify risky links and help to define strong passwords for your staff, it’s important to make sure that every member of a team is educated in what poses a risk and the potential outcome of failing to stop a breach.
By ensuring that communication with staff, who are well trained to spot and deal with potential risks, and customers, who are contacted swiftly with open and honest information, businesses can be confident that the negative impact of a breach can be minimised – from both an internal and PR perspective – should the worst happen.