Header image

4 ways to salvage your reputation after a breach

When a data breach hits, one of the first things to suffer is your reputation. Steve Mansfield-Devine looks at the key steps you need to take to mitigate the damage…


Reputation damage is one of the harder costs to calculate in the wake of a cyber incident. And yet the bill can be very high when the time comes to account for lost customers, eroded trust among partners and a drop in shareholder confidence.

As with so many aspects of information security, being prepared is crucial. Yet not enough firms – even those with otherwise sensible breach planning – have processes in place to deal with reputation damage control.

“Reputation takes years to build but can be destroyed in a matter of moments,” says James Lynch, a partner at Maltin PR which is one of many public relations firms that now specialise in handling the fallout from cyber incidents. “Mitigating any damage is therefore vital and should be prioritised in the same manner as other aspects of breach response strategies.”

Step one: 'Fess up
“As a first step, it is critically important after any cybersecurity incident to gather accurate evidence-based data to understand what has happened or is perhaps still happening,” explains Ashley Stephenson, CTO at Corero Network Security. “This avoids missteps in dealing with the incident and sharing information with the outside world. Your credibility is often established in your initial communication about the incident.”

One option you don’t have is saying nothing. Confession may be good for the soul but it’s also a legal requirement in many countries. The EU’s General Data Protection Regulation (GDPR), for instance, puts a time limit of 72 hours on how long organisations have before they must disclose a breach to regulators. It also demands that affected people are notified.

While it’s tempting to stay quiet, the truth is almost certain to leak out. For example, Uber’s former security chief Joe Sullivan is currently being prosecuted for allegedly attempting to cover up the firm’s 2016 breach by disguising a payment to the hackers as a ‘bug bounty’.

“As and when the breach is made public, negative attention will be amplified by the attempts to sweep the issue under the rug, creating more issues for an organisation,” says Lynch. He adds there is there is no clear metric for ‘success’ when handling the reputational side of a breach, but failure is dismally obvious. He cites Facebook’s response to its 2019 data breach.

“It’s an example of a failed communications strategy,” he says “The company failed to apologise for the breach, and was subsequently deemed ‘cold, cynical, defensive and argumentative’ in the press. This highlights the importance of empathising with your consumers and demonstrating to them that you understand the seriousness of the matter.”

Contrasting with that is how Twilio handled a similar situation. “The corporate responded to a data breach with an incident report which provided clear communications to consumers that they and their data is cared for and valued.”

Step two: Open dialogue
Rather than clamping down, being open has its advantages, and there are several things you would consider concerning your communications, says Sarah Woodhouse, director of Ambitious PR.

“Be in control of the message,” she says. “Where possible, plan a launch date and time and prepare press releases, statements and key stakeholders for interviews in advance.”

She also underscores the need to be open and honest. “Don’t be afraid to state where further investigations are needed,” she adds.

It’s a mistake to see the media as the enemy. Instead you need to work with them, answering questions and providing information to alleviate concerns and show that you understand the risk and are taking appropriate steps.

“Follow up with a statement after the event which details the steps you have taken to prevent this happening again,” she says.

Step three: Team effort
Your response needs to involve a range of key players in the organisation. “CISOs should work alongside the legal and communications teams to create a clear and robust plan that can be actioned quickly once a breach is identified,” says Lynch.

You can also benefit from outside help.

“PR agencies can offer a great deal of value in helping you to formulate a crisis communications plan in advance for such an event,” says Woodhouse. “How you expedite that crisis comms plan requires a joined up approach with senior spokespeople and PR and marketing team leads.”

Step four: Have a plan
But above all, you need a plan – one that will allow you to communicate clearly and accurately.

“Organisations should be able to prove to their customers that their data breach was not a case of human error, which is found to be a key driver in 82% of cases,” says Lynch. “To minimise any breakdown in relations with consumers, clients and the wider market, organisations must be able to react rapidly and confidently if a breach occurs to illustrate that the risk of a data breach is anticipated and taken seriously.”

Upcoming Events

27
Jan

SC Unlocks: Insurance & Assurance

SC Unlocks: Insurance & Assurance aims to provide delegates with practical and business critical tools on how cybersecurity within the Insurance space works. The briefing will explore the unique challenges of the insurance sector, including how cybersecurity insurance (aka cyber liability insurance) can help reduce liability, strategies for risk management/ transfer, regulatory oversight and cyber asset valuations.