Forget the resolutions about hitting the gym more and spending less time on Facebook. You’ll break them anyway. This new year, resolve to get ready for a data breach or other cybersecurity issue by thinking now about how you’ll communicate when it happens. When working with companies and organizations on crisis communication plans, we ask a simple question to the leadership team: What keeps you up at night?
The No. 1 answer for businesses across the world is becoming clear: cybersecurity.
Infosecurity Magazine, citing the 11th Annual Survey of Emerging Risks involving 200 risk managers primarily based in North America, reported that cybersecurity has been the top threat for three years running.
“Cyber continues to be a top current and emerging concern for 53 percent of respondents, followed by terrorism and technology,” Infosecurity stated, adding that “a growing consensus among risk managers (is) that with a cyberattack, comes the risk of business interruption and damage to brand or reputation, along with the potential of a data breach.”
If surveys like this one aren’t enough, follow the money.
Forbes projected that the cost of cybersecurity in the U.S. would jump from $40 billion in 2013 to $66 billion in 2018, if the pace of spending from the first half held up for the entire year.
Take action now
If you haven’t done much to prepare for cybersecurity threats, what should you do? From a crisis communications standpoint, cybersecurity scenarios and messaging should be part of any crisis communications plan.
The plan will include details such as which of your key stakeholders — employees, customers, vendors, business partners — should be contacted after you become aware of a data breach or other cybersecurity event. The plan should describe who on your team is leading those communications and when they go out.
The plan also should outline the required timelines for notifying consumers or citizens if their personal information is breached. All 50 states now have enacted varying breach notification laws. Additionally, the HIPAA Breach Notification Rule, covering health information, has its own set of requirements, including in some cases, required notification of media. And the European Union in 2018 adopted the General Data Protection Regulation with some of the most stringent notification requirements going.
After the data breach hits is not the time to start scrambling to understand the notification requirements. Crucially, a well-done crisis communications plan also will include the actual messaging — already approved by your leadership team, including legal — that can be used to initially respond.
Protect your reputation
Getting out first and telling your story to the people who matter most to you is a critical step in protecting your reputation.
“If you’re breached and you know it, somebody else knows it and it’s a footrace,” said Kevin Mandia, CEO of security firm FireEye, in PRSA’s Strategies & Tactics.”
Having a crisis communications plan means you’re in that race by knowing who says what to whom, when and how if a crisis hits. With cybersecurity issues, increasingly, that seems to be when the crisis hits.
Thomas Fladung is vice president at Hennes Communications