11 Oct Where PR And IT Collide: Cyber Security
The long list of consumer data breaches just keeps growing. Both Facebook and Google+ announced vulnerabilities in the last month, joining the likes of Uber, Yahoo and Reddit. And like those before them, the dent to their users’ trust depends largely on how they respond. How long did it take them to go public? What did they do to make it up to their users? To make their platforms more secure?
Ransomware, malware and other cyber attacks are on the rise, and do not discriminate by a company’s size or industry. (Apple users, you’re not invulnerable either! Symantec reports an 80% increase in new malware on Macs last year.) Employees of organizations with fewer than 250 employees receive malware in 1 out of 9 emails they receive. Think about how quickly your inbox fills up, and that number quickly becomes staggering.
And if anyone clicks… IT vulnerabilities can lead to huge disruptions in business and extremely costly interruptions in productivity.
Cyber Security Crises Are Communication Crises
If the communication about a data breach, hacking or privacy violation is managed poorly, the outcomes are devastating. When we teach crisis communications to MBA students, we always include recent cyber security case studies. An IT crisis can very quickly turn into a major PR crisis, impacting your business from many angles:
- Consumer confidence, trust and loyalty
- Privacy and information security
- Legal issues relating to client data security
- Insurance payouts
- Employee morale
To limit the impact on our clients’ business should an IT crisis arise, we urge all our clients to implement an IT triage plan – one that includes a PR response. Good planning includes both response strategies and risk mitigation.
Cyber Security Risk Mitigation
As with any PR crisis plan, prevention is key. Preventing a breach or network attack begins with proper training and a strong support team. Make sure your PR company is a part of the planning process. We help our clients educate their teams about new cyber security policies and precautions and why they are important. That way, if anything happens, you have a record of practices in place to protect your clients and their information.
- Keep good IT support on retainer, or in-house. Spend money on sound IT infrastructure and support. Have your IT support map out a strategy to prevent and, if necessary, recover your network.
- Train your employees on safe internet and email use. Can your employees identify a phishing attempt or unsafe website? Most breaches begin by an employee opening an unsafe attachment or link. If your employees know how to recognize and respond to potential threats, you could avoid a world of trouble.
- Keep your website up to date. Last year, more than 223 million web attacks were blocked. We update our clients’ website software several times a week to protect them against recognized threats. Some of the most prominent leaks, hacks and breaches of our time were caused by outdated website technology.
Responding to a Breach, Hack or Violation
There are always actors working hard to compromise companies’ security for their own personal gain. So, if your organization falls victim, having a plan in place takes the panic out of the situation. It puts you in a much stronger position to recover from lost consumer trust and interrupted productivity.
Here are just some of the questions you should be ready to answer before the time comes:
- Who will be involved in responding to a cyber security issue after it occurs? Your response team should include your leadership, IT experts, public relations and legal counsel. Set up an internal chain of communication, and make sure to inform everyone when the time comes.
- How soon should you notify clients and the public? You may have very little information early on, but you must respond quickly. Many companies suffer in the public eye because they put off notifying their stakeholders or were less than transparent about what happened. Uber’s consumer data breach in 2016 is still causing them trouble years later – all because they covered it up.
- Which stakeholders need to be notified first? Control the flow of information by prioritizing your audiences. Your stakeholders should always hear the message from you. Be aware, though: that once you tell one group, the word will get out. Make sure it’s your word that spreads, and not someone else’s.
- How will you contact your top clients when a breach shuts down your email system? Call your clients to let them know you are having IT issues, and make sure all account executives use a consistent message. Explain that emailing may not be possible for a certain time frame, but they should feel welcome to call if they need something. Your clients will welcome the timely personal alert and understand that some things are out of everyone’s control. Keep them up-to-date as the situation develops.
- How can you show your clients you are committed to protecting them? Share what measures you had in place beforehand. What happened? What you are doing differently in the future to protect consumers and improve security?
Protect Your Company With A Plan
An IT breach or crisis is not the end of business as you know it. By preparing effectively, responding quickly and being transparent, you can do more than recover. Take the opportunity to build relationships with your consumers, become a leader and end up stronger than you were before.
We updated this post, originally published on May 1, 2018.
Behaviorist Clara Mattucci is vice president of operations at GillespieHall. With a focus on research and tracking social trends to inform PR, marketing and digital promotion, Mattucci leads the team in creating and executing strategies that change behavior and build brands.