What security leaders need to know about breach communication

Leigh Nakanishi shares the approach security leaders need to prepare for their turn to communicate and coordinate during a breach

1 communications
Anne Worner (Creative Commons BY or BY-SA)

The importance of communication

According to a recent Ponemon Institute study, 89 percent of board members recognize that security failures or breaches can hurt both the reputation of the company and its market value.

With security considered a top concern by executives and boards, are you ready? Broader that your need to anticipate breach, are you ready to handle communication in the wake of a breach?

Leigh Nakanishi, Vice President of Edelman’s Data Security and Privacy Group, is responsible for helping companies manage communications across the full spectrum of security and privacy issues; from major data breaches to product vulnerabilities and the loss of IP.

I asked for advice on what security leaders need to know and think about to be ready.

“It’s important to understand that successfully communicating about a security incident requires a somewhat different approach when compared to other types of reputational risks that a company faces. Security professionals need to work with their peers in communications and legal to make sure they have a clear and intergraded approach to incident response.”

2 integrated plan
Orange County Archives (Creative Commons BY or BY-SA)

You need an integrated plan

Do you have an incident response plan? Does it include communication?

In Leigh’s experience, “many organizations overlook one critical component to the plan – preparing to communicate with stakeholders in the event of a live incident. This is good practice not only for the sake of being able to focus on communicating versus pausing to think about what you want to communicate during a live breach, but it also shows good faith governance to important stakeholders, such as Boards of Directors.”

Getting it right takes coordination between security, legal, HR, IT, and other partners. Common for these functions to operate in silos drives the need to have a plan in place. A plan that is clear, mutually understood, and followed.

Make sure the plan covers how to communicate with core stakeholders in addition to a clear approach for public statements. Build the program you need before a breach happens.

3 pressure test
Ragnar Jensen (Creative Commons BY or BY-SA)

Put your plan to the (pressure) test

Having a plan is the first step. Making sure it works it the second.

Leigh likens the approach to the (in)famous Mike Tyson quote about having a plan “until you get punched in the mouth.” In Leigh’s experience, the problem the stress of the breach introduces is the instinct to over communicate.

Find out if your plan works by practicing it. Find out what to keep and where you can make it better.

Leigh advises “practicing a response plan is an important step of the preparedness process, because it helps members across the organization understand how best to work together and identify potential gaps in the process. Devoting a half-day for the crisis response team to get together for a tabletop excise to test how they would respond to different types of security issues will help prepare them to manage the chaos of a true incident.”

4 leaks
Narshada (Creative Commons BY or BY-SA)

When responding, expect the leaks

Despite your best intentions, Leigh warns to expect leaks. “When a breach occurs, the response team must assume a leak will occur and be prepared for it from the minute the incident is discovered.”

To manager the leaks, Leigh suggests keeping focus on finalizing and getting sign-off on a “media holding statement.” Acknowledge the incident, share the steps the organization has taken to remediate the issue (so far), offer any true assurances about partnering with industry experts or the FBI/Secret Service, and a stated commitment to ensuring the protection of employee/customer information.

Be cautious of reveling hard information before the investigation is complete.

5 too early
Mary Ann Clarke Scott (Creative Commons BY or BY-SA)

Resist Proactively Communicating Too Early

The pressure to share information is intense. This is where a lot of companies make mistakes.

As Leigh puts it, “The early bird does not always catch the worm. Move quickly, but remember that going out with information too early can hurt an organization in a data breach. Resist communicating numbers early in the investigation, because they often change and overstating or understating the number of records lost could leave the impression the organization doesn’t have a handle on the incident.”

Focus your initial messages on the steps being taken to investigate the issue.

Leigh reminds us that “facts are very fluid when responding to a data security incident, and telling too much too soon can lead to inaccurate dissemination of information, compromise of more data and further reputational damage by breaking trust again.”

6 message
Sergio Aguirre (Creative Commons BY or BY-SA)

Manage your Message

Leigh offers some sage advice to guide your efforts, “The affected party – whether customers or employees – should be your north star.”

Communicate in a clear and direct way. Use traditional and digital mediums. Don’t get caught up obsessing over the technical details of what happened. At least, not in communicating those.

Put yourself in the role of your audience. Give them the information and guidance they need to protect themselves. When possible, help them take action on their own.

Another insight from Leigh is to avoid playing the victim. “Even though a security incident is a criminal act against the company and an organization should acknowledge that, focusing too much attention that fact will make it look as though the organization is trying to pass responsibility.”

7 hub
Alex Brown (Creative Commons BY or BY-SA)

Create a Hub

Where do people go for information?

Have a concrete place to direct people stakeholders and interested parties. Consider whether it is part of your corporate website or something a bit more disconnected. Use this site to provide official updates. Include the known details and updates as available.

8 monitor
Andreas Lindmark (Creative Commons BY or BY-SA)

Monitor the Conversation

Leigh suggests “the moment an organization learns of a data security incident, it should immediately initiate monitoring across social and traditional media platforms to watch for a leak.”

Use the social listening tools available to you; often this requires integration with other teams. Blend your social listening with regular scans of traditional media. You want to understand the tone, volume and any updates in public information or stakeholders/influencers weighing in.

Use your communications plans social media response guidelines to inform the ongoing response strategy.

9 repair
Thomas Leuthard (Creative Commons BY or BY-SA)

Repair Your Reputation

“Data security incidents can have substantial impact on an organization’s license to operate with wide-reaching, long-term reputational concerns.” Leigh suggests that “once the immediate crisis has subsided, the team must consider its brand recovery strategy.”

From a business perspective, the goals are: protect client relationships, respond swiftly to client concerns, reinforce the company’s commitment to data security and chart an operational course to help inoculate the company from future risk.

Rebuilding the brand starts with creating a consistent, credible story about the organization’s strengths, areas for improvement and commitment to excellence in data security.