21 Oct Where PR And IT Collide: Cyber Security
Data breaches, cyber crime, hacking, Bitcoin scams… How many letters or emails have you received this year notifying you of a cyber security incident?
When you learn that your personal data may have been exposed, or read yet another story about a company scrambling to recover from an incident, do you worry about your business? Do you wonder whether you are doing enough to protect your employees, customers and stakeholders?
October is Cyber Security Awareness Month – a good opportunity to evaluate existing systems and learn about the latest best practices. We recently worked with the National Cyber Security Alliance on a campaign to educate small business owners about cyber security threats and strategies to protect themselves. It’s an important mission, as small businesses make up 99.9% of all US businesses and employ 47% of working Americans.
Larger organizations are not off the hook, though – our world is so interconnected, one small action can cause a domino effect that impacts individuals and organizations around the globe. Everyone has to participate in keeping data safe.
Cyber Security Crises Are Communication Crises
IT vulnerabilities can lead to huge disruptions in business, extremely costly interruptions in productivity and massive loss of consumer trust. An organization’s ability to recover that trust depends largely on how it responds. How long did it take them to go public? What did they do to make it up to their users? What did they do to make their platforms more secure?
When we teach crisis communications to MBA students, we always include recent cyber security case studies. An IT crisis can very quickly turn into a major PR crisis, impacting your business from many angles:
- Consumer confidence, trust and loyalty
- Privacy and information security
- Legal issues relating to client data security
- Insurance payouts
- Employee morale
To limit the impact on our clients’ business should an IT crisis arise, we urge all our clients to implement an IT triage plan – one that includes a PR response. Good planning includes both response strategies and risk mitigation.
Cyber Security Risk Mitigation
As with any PR crisis plan, prevention is key. Preventing a breach or network attack begins with proper training and a strong support team. Make sure your PR company is a part of the planning process. We help our clients educate their teams about new cyber security policies and precautions and why they are important. That way, if anything happens, you have a record of practices in place to protect your clients and their information.
- Keep good IT support on retainer, or in-house. Spend money on sound IT infrastructure and support. Have your IT support map out a strategy to prevent and, if necessary, recover your network.
- Train your employees on safe internet and email use. Can your employees identify a phishing attempt or unsafe website? Most breaches begin by an employee opening an unsafe attachment or link. If your employees know how to recognize and respond to potential threats, you could avoid a world of trouble.
- Keep your website up to date. Last year, more than 223 million web attacks were blocked. We update our clients’ website software several times a week to protect them against recognized threats. Some of the most prominent leaks, hacks and breaches of our time were caused by outdated website technology.
Responding to a Breach, Hack or Violation
There are always actors working hard to compromise companies’ security for their own personal gain. So, if your organization falls victim, having a plan in place takes the panic out of the situation. It puts you in a much stronger position to recover from lost consumer trust and interrupted productivity.
Here are just some of the questions you should be ready to answer before the time comes:
- Who will be involved in responding to a cyber security issue after it occurs? Your response team should include your leadership, IT experts, public relations and legal counsel. Set up an internal chain of communication, and make sure to inform everyone when the time comes.
- How soon should you notify clients and the public? You may have very little information early on, but you must respond quickly. Many companies suffer in the public eye because they put off notifying their stakeholders or were less than transparent about what happened.
- Which stakeholders need to be notified first? Control the flow of information by prioritizing your audiences. Your stakeholders should always hear the message from you. Be aware, though: that once you tell one group, the word will get out. Make sure it’s your word that spreads, and not someone else’s.
- How will you contact your top clients when a breach shuts down your email system? Call your clients to let them know you are having IT issues, and make sure all account executives use a consistent message. Explain that emailing may not be possible for a certain time frame, but they should feel welcome to call if they need something. Your clients will welcome the timely personal alert and understand that some things are out of everyone’s control. Keep them up-to-date as the situation develops.
- How can you show your clients you are committed to protecting them? Share what measures you had in place beforehand. What happened? What you are doing differently in the future to protect consumers and improve security?
Protect Your Company With A Plan
An IT breach or crisis is not the end of business as you know it. By preparing effectively, responding quickly and being transparent, you can do more than recover. Take the opportunity to build relationships with your consumers, become a leader and end up stronger than you were before.
Of course, it’s always better to plan ahead.
We updated this post, originally published on October 11, 2018.
Behaviorist and partner Clara Mattucci leads the team in creating and executing strategies that change behavior and build brands, with a focus on research and tracking social trends to inform PR, marketing and digital promotion.