As part of an incident response plan, besides internal communications and compliance processes, external communications is just as important for reputation management and public relations.
Cyberattacks and data breaches happen to everyone, all the time, all over the planet. Home to some of the world’s fastest-growing digital economies, Asia is certainly no exception – businesses that operate in the region receive six cyber threats every minute.
In fact, Asian companies are seen by many a hacker as prime targets for cyberattacks, and for a good reason: according to a 2019 Sophos report, organizations in the Asia-Pacific region “face a series of cybersecurity shortcomings in the areas of education, company culture, skills, budgeting and operational management.”
But we’re not going to talk about how to prevent a cyber breach from affecting your company – because it’s probably going to happen anyway. Instead, let’s talk about how to prevent the breach from not only your damaging business, but also nuking your reputation.
Here’s what every organization should do to address a cyber breach.
1. Develop an incident response plan
It pays to be prepared, especially when public relations are involved.
The first and most important step when preparing for a cyber breach is to assign the key members to your incident response team. Depending on the company, the key stakeholders might include members of the Security, Legal, IT, HR, and Communications departments. These should be the people who are the best equipped to handle a cyber breach. They should formulate and coordinate your company’s strategy when push comes to shove. Having a strong incident response plan in place is crucial if you expect to manage the post-breach public relations (PR) fallout in a timely manner.
When it comes to external comms, make sure to establish a solid network of post-breach priority contacts like PR agencies, law firms, and local authorities.
And don’t forget about internal communications. Would you rather your employees hear about the breach from you or from the media? Exactly.
2. Prepare templates in advance
This one should be a no-brainer. Create post-breach communication templates for every type of media channel you can think of, including press releases, blog posts, social media stories, as well as internal and external emails.
Make sure to keep the following in mind when creating these templates:
- The way you communicate should change depending on the media channel. Tweets are different from direct emails, which are in turn different from press releases. Adjust your tone and language accordingly.
- Don’t attempt to sweep the breach under the rug. Layout the impact of the incident and how it affects your customers: they’re not stupid, so don’t treat them as such.
- Disclose everything your company is legally obligated to disclose. If you don’t, it will bite you hard later.
3. Timing is crucial
People tend to be distrustful, especially when it comes to companies that lose their data to cybercriminals. Which is why timing your post-breach PR response is essential.
Needless to say, delaying your breach disclosure longer than necessary should be avoided. The longer you wait, the bigger the risk that stolen user data has already been sold on some darknet marketplace.
However, it doesn’t mean that your press release should come out as soon as you detect the breach. Communicating too early might actually do more harm than good. For example, a spokesperson who hasn’t been properly briefed about the incident before doing a press conference can give vague or inaccurate answers, which might result in even more reputational damage for the brand.
4. Simplify the language
Cybersecurity is a complicated subject, to put it mildly. It’s obscure, technical, and difficult to understand for the uninitiated. A PR statement written in complex security jargon will only confuse the public and create distrust. Which is why communicating in a clear and concise language should be at the top of your post-breach priority list.
You don’t want your customers or the press leaving your carefully constructed statement with more questions than answers. So, make sure to use simple vocabulary and avoid any type of techspeak. Can your grandma understand what you’re trying to say? No? Go back to the drawing board, simplify, repeat.
5. Take responsibility
Last but not least, you’ll have to own up to the breach. There’s simply no other way around it. Because if you don’t, your company will be seen as irresponsible, which will only further erode trust in your brand.
On the other hand, taking full responsibility and following up with a sincere apology and a solid post-breach action plan communicates empathy for your customers and willingness to make sure your company doesn’t suffer another cyber breach in the future.
Cyber breaches are not going away anytime soon. This means that those who want to survive in the digital age have no choice but to be prepared for the inevitable, both security- and communication-wise. And having a bulletproof plan, a solid communication strategy, and a well-managed response makes not only surviving, but also restoring trust and saving the brand’s reputation that much easier.