7 must-do steps to ensure an IT crisis doesn’t become a PR disaster

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/it-management/skills-training-and-leadership/123459510/7-must-do-steps-ensure-it-crisis-doesnt-become-pr-disaster

2014 was the year for enterprise IT crises, and this year has had its fair
share of scares already. But data breaches aren’t the half of it – system
and service outages can be just as devastating to all companies, from SMEs
to enterprises.

Whilst major IT disruptions are damaging, companies must ensure that they
preserve customer trust and confidence afterwards.

Maintaining trust from customers requires more than just a mea culpa. With
personal data and information on the line, the stakes are high for
customers, so transparent and proactive communication between businesses
and their customers is important.

Here is a seven-step plan of how companies can ensure a service disruption
doesn’t spiral out of control.

1. Assemble your communications team

It will be too late if businesses wait until after a problem surfaces to
build a team. Have a pre-assigned team of professionals skilled in handling
major issues such as data breaches or service outages.

Ensure customer-facing communication professionals, technical liaisons and
legal advisers are available. Establish procedures for swiftly contacting
(via multiple devices, numbers and communication modes) and assembling team
members.

Assume that teams will need to communicate at the most inconvenient times.
With all these in place, you will be prepared for any crisis situations.
Tip: If possible, use one-touch conference bridging capabilities to save
hours of time.

2. Keep management informed

Whether they are directly impacted by an IT disruption or they hear through
social media, send executives messaging guidelines as updates roll in. Some
companies use executives to proactively communicate through their social
networks. Success requires a delicate balance of transparency without
over-sharing, and companies that achieve this are leaps and bounds ahead of
those that keep quiet.

3. Keep customers informed

Consumers or end-users are the most at risk when data breaches or service
outages happen. If corporate communications are unclear, infrequent or
inadequate, customers will be the first ones on social media exercising
their right of free speech, which can hurt a company’s reputation.

To avoid this happening, make sure you communicate with customers on
multiple devices and platforms until the correct message is heard or seen.
Silence is more damaging than the actual incident.

Whilst consumers want updates and assurances that you are taking action,
more innovative organisations turn the ‘lemon’ of an incident into
‘lemonade’ by creating an opportunity for customer satisfaction.

4. Keep regulators informed

Current and pending legislation around the world dictates that companies
notify regulators of service outages and data breaches in a timely manner.
For example, the Monetary Authority of Singapore (MAS) guidelines require
that financial institutions notify them ‘as soon as possible’ and that
procedures for these notifications be in place ahead of time.

Like MAS, most current legislation contains ambiguous language around
timing and lack direct penalties or fines. Still, with so many regulations,
it is advisable to stay ahead of the curve when implementing rapid
communication capabilities.

Many regulating authorities require notification for institutions located
in their area and all entities that control accounts or do business with
their residents and businesses.

For global businesses, this could mean having to send notifications in a
timely manner to dozens or hundreds of regulatory authorities at the same
time. Make sure you set up your communication processes ahead of time.

5. Delivery of message to the masses

Sending a mass email is not enough – business have not satisfied their due
diligence just because they ‘tried’ to alert consumers of a data breach or
service outage with this. Contact information may be outdated, delivery may
fail, or customers may deny getting messages if it helps their cause in
issuing a future complaint.

Prepare in advance by keeping multiple contacts for customers, employees
and regulators. Utilise communication backup methods for undelivered
responses and find alternate communication methods (for instance when email
is down with the service, text messages or phone messages would be better).

Ensure that any method of communication allows – or even requires – the
recipient to acknowledge receipt of the message so there’s an audit trail
of the activity.

6. Continue talking about actions you’re taking

Circumstances can change quickly after consumer-facing service disruptions
occur, so keep all your stakeholders informed through direct communications
to reassure them that all steps are being taken to mitigate the situation.

Whilst formal, direct communications should be used sparingly. Businesses
should use social media channels like Twitter or Facebook messages to be
clear and send regular updates on the situation at hand – even if there’s
no news. This will help cut down on inbound inquiries and keep everyone in
the loop.

7. Targeted communications

Data breaches and denial of service attacks happen because data falls into
the wrong hands. After a crisis occurs, companies should target
communications as necessary. Yes, transparency is essential to maintaining
consumer trust, but an unnecessary amount of communication could be equally
harmful.

Publicising information about crisis situations impacting business
customers may violate confidentiality laws. Public messages for issues that
impact a small number of customers are seen as overkill.

Targeting affected consumers when possible to prevent data leakage will
reduce inquiries to the company’s customer service teams and avoid
upsetting unaffected parties.

In today’s always-connected world, consumer-facing service disruptions are
inevitable. However, companies can limit the damage to their businesses by
putting the proper communications in place to alert and keep customers
informed during crises, and these seven tips will help get them off to a
great start.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!