There’s a good chance cybercriminals could soon access your data. According to 2020 Thales Data Threat Report conducted by IDC, breaches are increasing worldwide. 1 in 2 US companies have experienced a data breach, and 1 in 4 in the last year.
Companies are now starting to focus not only on preventing breaches but planning to limit their impact.
This change of focus involves classic strategies, like buying extra security solutions that detect attacks early, hiring new incident responders and training an existing team to react more effectively. It also brings new faces to the activity most prone to falling through the cracks: post-breach crisis communication.
Applying a reputation rebuild
Consumers are now much more concerned about data privacy. In the US, 83 percent, and Britain, 44 percent of consumers say they stop spending with companies after data breaches for several months. Many say they’ll never go back.
The need to rebuild their reputation sees companies spending on average $161,000 US dollars on PR after a breach.
What is good crisis communication during cybersecurity incidents?
Cybersecurity professionals agree that data breach response should happen across the business, not just in IT Security.
Despite this, many companies struggle to respond fast enough, with enough information to quell the rumors. But preparing in advance for IT security incident crisis communication can fast restore a good reputation when it happens.
I speak from experience. We discovered an advanced nation-sponsored attack on Kaspersky’s internal network in 2015. With coordinated and cooperative work across different departments, we could control incident communications, building our reputation as transparent and responsible.
We based our response around five understandings.
1. Involve everyone in crisis management planning
Companies should plan for how they’ll communicate about any situation they might face. A cybersecurity incident should be one of these.
Your crisis management plan should include people from all departments, That means IT Security, IT, legal, customer support and corporate communications for a start.
2. Educate non-IT employees on IT security basics
Building a cyber-aware culture at work has benefits beyond incident response.
As a minimum, all those who will be involved in responding to a cybersecurity incident need a basic understanding of IT security.
3. Have different plans for different types of incidents
You’ll probably need separate plans for different kinds of issues. The reputation impact of an advanced persistent threat (APT) that lets cybercriminals spy on business activities will be changed to that of business-halting ransomware. Use the company’s threat model to identify the most likely scenarios you’ll need crisis communication plans for.
4. Prepare alternative internal communication
If hackers have compromised email, IP-telephony, direct messages and phone or video calls, you’ll need secure channels to use to keep employees updated and plan your response.
In this situation, involved employees should use encrypted channels. Prepare non-technical staff in advance by explaining the need for encrypted messaging, how to install it and how to use it.
5. When you disclose, be specific
When they’re not given enough detail, people tend to speculate. When disclosing an incident, say exactly what happened, how it affects customers and partners, and what you’re doing about it.
Every task is urgent when responding to a security incident, but only IT Security can give corporate communications the details that will let them write an accurate and informative statement. IT Security should prioritize conveying this information, alongside their most urgent post-breach tasks.
The success of Kaspersky’s and others’ crisis communication in response to major incidents shows that even when cybercriminals succeed, good communication can still win the day. And like many things in business, it’s all about the planning.