How businesses should talk internally and externally about data breaches
The Telegraph 14 SEPTEMBER 2017 • 12:00PM
Businesses need to perfect their internal and external PR plans so they can manage data breaches effectively, says Alison Coleman
Companies have become so reliant on data for their operations that one of the biggest crises they face is a data breach. As high-profile cases have shown, the effect can be devastating, and the damage is often compounded by poor communication after the event.
“All staff should be trained how to spot a threat and how to deal with it,” says Steve Clarke, co-founder and director of IT consultancy Freeman Clarke.
“It’s a good idea to run through some scenarios with the department heads to see if things are covered. For instance: is there a data backup? How would you get it back? And in the meantime, what would you do to keep the business going?”
Your communications teams should be equally prepared; as Rod Clayton, executive vice president and co-lead, global issues and crisis at Weber Shandwick, says: “An organisation has a far better chance of getting communications right after a data breach if it gets things right before an incident ever occurs.
Companies have become so reliant on data for their operations that one of the biggest crises they face is a data breach
“That means a big role for communications in ensuring that employees and consumers understand what to do to preserve security, being clear about efforts made to ensure data integrity and managing stakeholders’ expectations.”
As a general rule, staff should be instructed not to talk to the media in the event of a breach; the worst thing a company can do is to send their chief executive to the first media interview.
Instead, they should spend time assessing what happened and getting their facts together, while the CEO and board notify stakeholders and regulators. After this, they will be in a position to field out a senior spokesperson to the public.
“You must inform your stakeholders before you inform the media,” says Adrian Davis, managing director EMEA at (ISC)², a membership body of cyber-security professionals.
“Once you have a handle on the situation and have prepared a coherent position and a response to possible criticisms, get the CEO or another senior board member in front of the media. The aim is to provide a graduated response, rather than expose your CEO throughout.”
“Another crucial part of dealing with the aftermath of a data breach is to divorce the technical, operations and communications elements. This means you should have a business continuity plan that focuses on “keeping the lights on”.
As a general rule, staff should be instructed not to talk to the media in the event of a breach
“The technology and operations people should be focused on sorting out the problem and keeping the business running, while the communications team focuses on talking to stakeholders and customers,” adds Mr Davis.
When managing the impact of a data breach, communicating with staff is absolutely essential – especially if it results in some disruption to their normal working patterns. From an external perspective, covering up information loss is never perceived in a positive light.
“While firms don’t necessarily want to admit they have had data breaches, doing so will allow customers to take action to protect themselves,” says Dr Ben Silverstone, course leader for computing and quantitative business at Arden University.
“This is particularly true where log-in details or partial bank information has been lost. Communicating effectively and openly with those involved is one of the most important parts of managing the situation.”
Time to step up security
The rise of remote working, especially among smaller firms, is creating new security challenges for business.
A survey by Deutsche Telekom found that only 12pc of workers were consistently undertaking basic cyber-security good practice at home; 17pc admitted to having no anti-virus protection, and nearly a third had suffered malware problems at home in the past 12 months.
Sarah Adams, cyber-risk specialist at PolicyBee, says all companies should ensure their staff understand – and adhere to – their security policies. “It’s vital they receive training on joining the business in areas such as robust passwords, never clicking on suspicious links, and recognising hacked websites,” she says.
“There are many [security] tools on the market, but you still need to train your people.”Security in the open economy
Technology has redefined everything we know, from the way we communicate to the way we do business.