Data breaches are now so common that it’s hard to keep up. In any given week there are reports of attacks across all sectors and geographies. At the time of writing the Yahoo! data breach could potentially involve up to a mind boggling 1 billion users.
By the time this article is published, many more less headline grabbing breaches will have taken place.
It is becoming increasingly clear that security is no longer strictly an IT function and is now at the scale where it needs to be on the boardroom agenda.
When clients came to us in the past they would base crisis preparedness scenarios around a site accident or a critical failure in one of their core business functions. Nowadays clients are increasingly concerned about whether or not they are prepared for a data breach.
But should they be? The simple answer is yes. Very. And who can blame them. In Asia-Pacific, companies are particularly vulnerable. Recent research by security company, FireEye, revealed that 28 per cent of organisations in Asia-Pacific were hit with an advanced cyber-attack in the second half of 2015, nearly double the global average of 15 per cent[i].
The Post story cited a lack of awareness of cyber threats and a lack of disclosure regulation (which varies across the region) as two of the key reasons Asia Pacific is particularly vulnerable to cybercrime.
Indeed, many experts suggest that for companies everywhere it’s a case of “when, not if”. This is not scaremongering. This is fact.
There are an array of misconceptions exacerbating the situation, including confusion about who has responsibility for investigating, preparing and responding to data breaches. These include:
- It’s an IT problem – in fact, it’s a Board-level issue with implications for every part of the business.
- Hackers usually target internet companies or banks –these are the sectors best prepared to deal with data breaches, making them less vulnerable. According to IBM’s 2016 X-Force Cyber Security Intelligence Index[ii], the healthcare industry is the number one target in 2016.
- My company is too small to be a target – there are different types of data breaches, from the large-scale like Yahoo to smaller-scale attacks, and companies with limited defences can be considered a far easier target.
- Anti-virus software installed, job done – while IT-based security solutions are absolutely critical, as is changing passwords regularly and having the relevant protocols in place, these steps will not protect your brand if and when the worst happens
- It won’t happen to me – every company is a potential target and, here in Asia, even more so.
Data breach represents a unique communication challenge. Because they come in so many forms, the threats morph and escalates all the time and many are discovered after the fact. Just ask Yahoo!
Once a company becomes aware it is under attack, it must undertake a forensic investigation to confirm exactly what is happening and who is responsible. This may take a long time to find out, and during this period an organization has a delicate balance of priorities and obligations to manage.
There is no standard procedure for how to communicate with critical stakeholders when this happens. So what represents best practice in this area?
Following a data breach, there's really only two options: implement your data breach response plan, or begin to search the situations vacant pages. That’s a dramatic statement but as communications professionals it is important to never lose sight of the fact that you will be judged not just for the data breach, but for your organization’s handling of it.
The good news is that a data breach is something that can be planned for. And while every plan needs to be bespoke there are some core requirements.
Fundamentally, any response plan should involve a cross-functional team that represents all the organizational functions. Whilst it is difficult to predict the precise nature of a data breach, holding statements, stakeholder mapping, social media responses, and spokespeople training can all be prepared in advance. The key is ensuring your response plan can be activated at a moment’s notice and that roles and responsibilities are clear – simulation exercises are essential to put this to the test.
Other things to take into consideration include:
- The speed in which a data breach becomes public – and thus the need to react – can now be measured in minutes, not hours.
- The ability to effectively manage social media. Organisations must engage where the discussion is happening; and more often than not, this is on social media.
- Transparency. While companies must be guided by the law and their own bylaws, we live in an age in which transparency is expected.
- The disruptive impact of externalities. A data breach situation can take on a greater profile if it happens to be related to an issue that is of front-burner interest of the public, the media and policy-makers - organisations must be flexible and nimble to adjust to disruptive externalities.
- One song sheet, many voices. Effective data breach response requires coordinated and consistent messaging. While this might appear to be intuitively obvious, an organisation’s culture and even its organisational structure can be obstacles to joined-up communication.
- Measure. Gut instinct is a poor substitute for research in determining the impact of a data breach response. Research need not be expensive nor time consuming but it is a vital tool in post data breach management to measure the impact of any reputational damage.
There’s no doubt that cyber security presents communication complexities but with dedicated organizational focus it is possible to mitigate reputational damage.
By: Fiona Parker, Regional Technology Lead, & Alec Peck, Regional Crisis and Issues Lead, Hill+Knowlton Strategies Asia-Pacific
[i] South China Morning Post, 19 October 2016