Don't Let Your Reputation Get Hacked

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.odwyerpr.com/story/public/3825/2015-01-08/dont-let-your-reputation-get-hacked.html

You may have heard the saying: “There are two types of companies. Those who
have been hacked, and those about to be.” Now that we have experts
reporting on “60 Minutes” that 97% of American businesses have been hacked,
it’s clear to see that we live in a world where every major organization is
vulnerable.

First, there should be clear protocols for reporting security breaches to
top management. If a breach is detected, key decision-makers must get to
the table – fast — for a no-nonsense “what do we know” session.

This team of executives should include senior decision-makers from legal,
HR, communications, operations, security, IT and all other relevant
departments. As the Federal Deposit Insurance Corp.’s Martin Gruenberg put
it in a 2014 speech quoted by American Banker: “Cybersecurity is no longer
just an issue for the IT department.”

Asking the tough questions

As the situation evolves, the team should ask the tough questions, get the
facts and stay in constant contact with each other — and with the people
addressing the problem on the front lines. The following should be
addressed:

• Which records or data sets were compromised?

• What type of information is at risk?

• Should the company have been storing these records?

• Where and how were the records stored before the theft or breach?

• How many people may be affected by the data breach?

• Have we sealed the “door” in which hackers entered? Are there any other
potential portals still open?

• Have relevant law enforcement agencies been notified? Are those agencies
able to share any findings?

• If the suspects are employees or former employees of the client, what
relevant information can be gleaned from their employment file? Were full
and complete background checks done on them? Were there previous
disciplinary problems or any previous indications of trouble?

• What steps were taken to secure the records or data before the breach?
What is being done to secure remaining data?

Steps for success

And now, the race to save your client’s reputation begins. Below are a few
key action points.

Understand if you are truly on the verge of a crisis situation. There is a
difference between a reputational crisis and reputational challenge. The
first step is to understand the situation and potential impact on the
organization and its stakeholders, and the interest level the public and/or
media are likely to have. Underreacting to a crisis or overreacting to a
challenge can harm a company’s brand, possibly resulting in a fatal blow
beyond repair.

Assemble your external support team as soon as possible. Ideally, you will
have already established strategic relationships with outside entities — a
crisis communications firm, forensic IT experts, credit monitoring
services, insurers, and attorneys specializing in cybersecurity liability
and law — before any cybersecurity breach or records theft. Lining up a
trusted outside team in advance will help you respond quickly and allay
concerns without losing time. You, as the PR point person, can play an
important role in vetting these partners and setting up clear lines of
communication before the crisis clock starts ticking.

Set up the response center, and take action to help. As soon as possible,
you should offer credit monitoring and fraud protection to individuals
affected by the data breach. This service should include a hotline run by a
trusted credit-monitoring partner. (Note: State laws may vary, so the
offers sent to affected individuals may need to be specifically tailored.)

As communications counsel, you should help craft the messages for call
center responders and prepare them to answer a range of tough questions
clearly — and with understanding, empathy and a clear action plan. Put
yourself in the shoes of a person who has just been informed that their
personal information has been lost or compromised. You would want clear
assurances that the company is making things right.

Some of the calls will need the attention of senior management due to the
severity of the problem or the intensity of the callers’ anger. Make sure a
“hot file” for follow-up is updated and distributed to key decision-makers
daily.

Remember your internal audience. Vigilantly communicate with employees so
they can serve as ambassadors in the community if the company encounters a
reputational crisis or challenge. Informed, engaged employees are powerful
assets to help preserve the company’s credibility and reputation. Craft and
share a clear internal protocol for your client that employees should
follow if they are contacted by reporters, neighbors, customers or affected
individuals. Provide talking points, Q&A and coaching as needed. Remind
employees of the media protocols and ask them to direct all inquiries to
the designated company spokesperson(s). This is not the time for employees
to freestyle.

Monitor media coverage. Task a team to closely monitor any coverage in
social or traditional media. Assemble an up-to-date media list for use when
you share updates. If a reporter calls, respond promptly — at least to let
them know you have received their inquiry and are working on their request.
Silence can be deadly.

Through close monitoring of social media, you’ll know when people are
saying something about the company that would require an immediate
response. It also gives your client the opportunity to communicate directly
with their customers in real time — a key part of being responsive and
thoughtful.

Ideally, you should have a pre-approved message bank that can be used to
respond to comments on social media. Don’t just use boilerplate over and
over — empower your social media team to use their judgment, with oversight
from senior executives. The sooner you use social media as a communications
tool in a crisis, the more effective you’ll be navigating the maelstrom —
even, as Inc. magazine’s Abigail Tracy writes, the tempest brought about by
a Valentine’s Day storm.

Decide what to share, and when. It is possible your client’s cybersecurity
problem will not morph into a news story, even after you communicate with
affected individuals. But you should still have a plan for dealing with
media attention. If your client opts not to preemptively let the media know
about the problem, draft a brief holding statement about the situation and
keep it on file for use if you receive inquiries from journalists.

Don’t stay silent when you should break the story. One of the most
important judgment calls in this process is deciding when to proactively go
public with the news. There are major risks in delaying. As Forbes.com
contributor Davia Temin wrote about Target’s data breach crisis: “No matter
how much it hurts, when you have a problem that affects your customers
directly, do not wait to go public. You don’t need to have all the answers,
but you do need to get ahead of (and own) the problem.”

If waiting to go public is detrimental, so is going public without much to
offer. A real-life example: eWeek reported JPMorgan Chase waited a month to
disclose its cyber-attack to the U.S. Securities and Exchange Commission.
The public filing described what type of information was compromised. But,
in its filing, the bank didn’t detail what steps were being taken to
communicate with affected customers. The lack of detail left reporters and
customers with more questions than answers.

Get out in front. This can demonstrate good faith and a commitment to
finding a solution. It can also prevent rumors from spreading in a vacuum.
Once the news is public, commit to communicating clearly and consistently.
Do not minimize the problem, and do not make false assurances. The need to
retract overly optimistic assurances can destroy your credibility. Be
forthright with customers, employees, vendors, clients, the media and other
key constituencies. Don’t be afraid to admit what you don’t know, but let
them know you are working to find out.

If you take decisive and well-considered steps, a crisis can turn into
opportunity in the long run — a chance to demonstrate character, brand
values and genuine concern for those affected by the breach. As Stephen
M.R. Covey wrote, “Nothing is as fast as the speed of trust.”

In a hyper-connected world, the right communications strategy — and the
right attitude towards people jeopardized by security risks — can help
protect and even strengthen that trust.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!