PR & COMMS TIPS FOR MANAGING UNPREDICTABLE DATA BREACHES - Signal AI
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
PR & COMMS
TIPS FOR MANAGING UNPREDICTABLE DATA BREACHES
Words: Caity Dalby
Photography: Adobe Stock/Creative Commons
INTROD
A BREACH MAY BE
UNPREDICTABLE,
BUT HOW YOU REACT,
COMMUNICATE,
UCTION
Data breaches can happen at any time, anywhere, and affect any
organisation. So how can you ensure that you’re prepared to deal
AND RECOVER,
SHOULDN’T BE.
with cyber attacks as and when they happen?
Having a defined, documented and well-distributed internal data breach
communications strategy - supporting and enhancing the companies’
wider recovery plan - is key to managing an unpredictable cyber attack.
A breach may be unpredictable, but how you react, communicate, and
recover, shouldn’t be. And with British Airways being handed a record fine
by the Information Commissioner’s Office (ICO) for their 2018 data breach,
cyber resilience is of paramount importance. [1]
Cyber resilience is defined as the ability
of an organisation or business to anticipate,
withstand, contain, recover, and evolve after
a data breach (The Chartered Institute of
Procurement & Supply, CIPS). [2]
ANTICIPATE,
WITHSTAND, CONTAIN,
RECOVER, AND EVOLVE
When approaching these principles of cyber
resilience, they can be separated into three
primary stages: Before, During and After.
Planning an extensive communications
strategy for each stage, whilst ensuring you
have a cohesive plan that touches every point
in the business, is the key to cyber resilience.
How you utilise your PR and comms to manage
an unpredictable cyber attack can be the
difference between substantial fines and
surviving a data breach with minor
reputational damage.
We look at the Before, During and After stages
in the process of managing an unpredictable
cyber attack, with examples of the good,
the bad, and the ugly in cyber resilience.
RESILIE NCEBEF ORE
PREPARATION, PLANNING
AND PEOPLE
Preparation and Planning
Firstly, you need to define what a “data
breach” means to your company.
Every company is different in whose data
it holds and how it stores that information.
There needs to be a definitive idea of what a
data breach or cyber attack looks like for your
company and a company-wide understanding
before you can plan your withstand, contain, THERE NEE
recover and evolve strategy. DS
Once that is clear, a strategy needs to be
TO BE AN
built and put in place. This includes conducting
ACCEPTANC
simulations, a plan for internal responsibility
E AT
and management during the breach, and
the curation of a wide-range of pre-written ALL LEVELS People
collateral. These will range from social media THAT
posts, marketing campaigns, press releases DESPITE AL The human aspect of managing
and general proactive PR outreach, and quotes L THE an unpredictable data breach within
or testimonials for key spokespeople. These PREPARATI a company is paramount to the success
are all of equal importance and none can work ON of recovery.
in isolation; only a holistic and wide-reaching AND PLANN First and foremost, there needs to be
communications strategy will be effective.
ING an acceptance at all levels that despite all the
IN THE WOR preparation and planning in the world, you may
LD, still be targeted and suffer from a cyber attack.
YOU MAY ST No one is invincible or impervious.
ILL BE
TARGETED Second, clear planning needs to take
place with a broad range of stakeholders.
This includes the CEO, CMO, Head of
Communications, and beyond. Key decision
makers should plan a strategy in advance,
matching responsibilities to those who can
take action, and outlining how these plans
compliment the wider communication strategy.
This ensures a brand’s reputation and values
are upheld and that consistent messages are
delivered across channels.MYFITNESSPAL On 25 March 2018, 150 million MyFitnessPal customers had their accounts hacked and personal details stolen in a cyber attack on the sports giant - usernames, email addresses, and passwords were compromised. The parent company, Under Armour, stated that they became aware that “an unauthorized party acquired data associated with MyFitnessPal user accounts” in February 2018, a month before the public announcement. [3] MyFitnessPal are a prime example of inadequate preparation, despite their initial seemingly adequate response. They not only failed to notice that their systems had been hacked for an entire month, but they had neglected to prepare or implement a plan for how to effectively deal with a cyber attack. They didn’t have a way to ensure that their customer’s data would be protected post-data breach. This has come to a head, as it has recently become apparent that some of the hacked data has become available to purchase on the Dark Web a year after the data breach. [4] In a report from The Register, the hacked data from MyFitnessPal is on sale, alongside credentials from 15 other websites and apps, for less than $20,000 in Bitcoin. [5] Despite minor encryption of passwords and MyFitnessPal’s instruction to its customers to change their passwords, the selling of these details could cause issues for people who reuse passwords across multiple websites. The ramifications of the MyFitnessPal data breach aren’t as far reaching as others, however the sheer scale of the cyber attack and the continuing problems that are arising display an internal lack of forward planning.
DUR ING
CONTROL, CONTAIN
AND MONITOR
Control and Contain
As you work to control and contain an
unpredictable cyber attack, there needs
to be an admission of clear liability and
acknowledgement of responsibility from
important messages aren’t missed and
the organisation is responding in a timely
fashion. This is as much the case with the
acknowledgement of liability from the
media-facing spokespeople. Saying sorry, company’s spokesperson/people, as it is
and knowing when it’s appropriate to say it, with messaging on social media channels zone to your company’s HQ, there needs to
is incredibly important. And as enquiries and and the website. be a backup plan. Having a contingency
press coverage increase during incidents, plan for when your workforce goes home
it’s important to move away from solely As such, you need to have tight control for the day should not be overlooked:
reactive action and be seen to be proactive. over your communications channels. organise employees to take shifts, provide
This includes stopping scheduled on-the-go resources so employees can continue
communications in the form of press to work at home, or bring in outside support.
SAYING SORRY releases and marketing campaigns,
and making sure multiple people have Another aspect of the control and containment
AND KNOWING access to the businesses’ social media
accounts.
period of managing an unpredictable cyber
attack is the ability of your website to handle
a dramatic spike in traffic. Websites often
WHEN IT’S When communicating messages during
a data breach, it’s important to consider
see a rise in visits once a data breach has
been announced publicly and reported in the
APPROPRIATE your audiences, the social media channels
they use, the type of content they respond
press, as members of the public look to official
channels for answers. Ensure all information is “REMEMBER
to, and what they will be expecting in this up-to-date by setting aside a plan of action to
TO SAY IT, IS situation. Maximising your reach in this way
will encourage engagement and awareness;
bring in more resources. Factoring in time for
training and providing additional equipment THE 3 RS -
INCREDIBLY whilst connecting with your audience in a
professional and reassuring manner will
is useful.
RECOGNISE,
help contain the fallout of the data breach. In the same vein as providing adequate
IMPORTANT. It’s important to be aware and mindful of the
feelings of customers that have been directly
resources, technical competence within the
business or a detailed plan for outsourcing REGRET AND
impacted by the data breach. technical support needs to be in place.
As Jon Sellors, Head of Corporate Comms
at LV=, says you should “Remember the 3 Rs - It’s also key to consider time-zones and out
Recovering quickly, with as little reputational
damage as possible, is unlikely if you don’t
RESOLVE.”
recognise, regret and resolve.” of hours support as the flurry of activity and have the fundamental technical competence JON SELLORS,
messages won’t stop when your standard to fix what led to the data breach in the first
When in the midst of a data breach clear lines operating hours end. And if a crisis begins place and to implement a multi-channel PR
HEAD OF CORPORATE
of communication are crucial to ensuring out of hours, or surfaces in a different time- and communications strategy. COMMS, LV=UTILISING A MEDIA MONITORING AND
REPUTATION MANAGEMENT PLATFORM,
SUCH AS SIGNAL A.I. CAN AUTOMATE
THE MONITORING PROCESS AND ALLOW
YOU TO RESPOND TO MEDIA COVERAGE
IN REAL-TIME.
Monitor
Staying informed during any kind of crisis, As previously mentioned, it’s important to be truly
but especially during a public data breach, global with your cyber resilience plan and media
is essential. Knowing who is talking about monitoring during a data breach. With cyber
you, the press you’re receiving, and the attacks hitting companies globally, out of hours,
sentiment of that press, can make all the in a different time zone to HQ, or focused on a
difference in the outcome of your specific regional part of a business, the reach of
recovery process. your media monitoring needs to extend beyond
English language news sources.
Utilising a media monitoring and reputation
management platform, such as Signal A.I., The Signal A.I. platform accurately categorises,
can automate the monitoring process and translates and extracts intelligence from over
allow you to respond to media coverage in three million media sources a day and surfaces
real-time - a must in the modern 24-hour news the relevant information in real-time. You should
cycle. The Signal A.I. platform mirrors the invest in a media monitoring tool that provides
established workflow of a business, automating you with an invaluable global outlook and head
media monitoring, reporting and analysis, to free start when dealing with media fallout during and
up time for key stakeholders and spokespeople after a breach.
to focus on making informed decisions in the
cyber attack recovery process.SONY A great example of efficient and effective control and containment of a data breach is the 2011 cyber attack on SONY’s PlayStation Network. The data breach is viewed as the worst to hit the gaming community of all-time. It impacted 77 million PlayStation Network accounts, and out of these accounts 12 million had unencrypted credit card numbers. Hackers gained access to full names, passwords, e-mails, home addresses, purchase history, credit card numbers, and PSN/Qriocity logins and passwords. The data breach hit SONY hard, with the website down for a month and estimated losses of $171 million. Despite the financial ramifications of this incident, it serves as a great example of corporate responsibility - knowing how and when to say sorry. IT SERVES AS A GREAT EXAMPLE OF CORPORATE RESPONSIBILITY - KNOWING HOW AND WHEN TO SAY SORRY. Like many companies that experience a data breach and the inevitable backlash that comes from it, SONY’s approach wasn’t without faults and imperfections. However, they knew when to take responsibility as a company, how to apologise, and which spokespeople had to take public liability. In a move that helped to save them from further reputational damage, SONY’s president and two senior executives stepped-up as media facing spokespeople to apologise publicly and accept liability for the data breach. [6]
AFTER
LEARN, EVOLVE
AND UNDERSTAND
Once the dust has settled and media Communicate
coverage has slowed, it’s time to learn from the YOU NEED TO
experience, evolve so it is less likely to happen There also needs to be continuing and clear,
again, and understand why it happened to you
in the first place.
key messaging about the breach in the
aftermath. Companies’ need to proactively
ASSESS WHAT YOU
provide information on any ongoing
Learn and Evolve investigations, the results of these, and further CAN DO TO CHANGE
actions they are taking to ensure the data
There isn’t a definitive step-by-step process
to follow in the aftermath of a data breach.
they hold is more secure.
THE REPUTATION &
But once you’ve managed to withstand the With the implementation of GDPR in Europe
initial cyber attack, you need to go back and other data protection laws across the PUBLIC PERCEPTION
to the drawing board with the rare opportunity globe, including the US Federal Trade
to shape and improve your processes. All of
the following need to happen simultaneously
Commission Act, consumers are more acutely
aware of their rights. They have a better and
OF YOUR COMPANY.
for a business to truly come out of a serious more informed understanding of how data
data breach the better for it. protection and security works, the value of Understand
their information, and the consequences for
You need to re-prep and plan for next time. businesses that do not comply. As a result, In tandem with the above actions, as a business
And don’t be complacent as there may very it’s absolutely necessary for you to not shy you need to define why you were the target for
well be a next time. This involves evaluating away from it, the press and your customers a cyber attack. This can be for a multitude of
what in your current strategy to manage an certainly won’t. reasons, but defining why you were targeted
unpredictable cyber attack did and didn’t work. will be invaluable information to possess in the
learning and re-planning process. And again, it is
You need to question everything the business
did in reaction. Did you monitor the media
THERE NEEDS TO an opportunity to realign and direct the company
in a different direction.
being produced about you adequately enough
to provide real-time, useful updates? Can
BE CONTINUING Businesses are either randomly targeted or
you confidently claim that you effectively chosen due to obvious (to cyber attackers)
contained the damage through both reactive
and proactive measures? Was your messaging
& CLEAR KEY security flaws or for reputational reasons. In the
case of Ahsley Madison, the extra-marital dating
site, it’s no surprise that it was reputation driven.
about the data breach clear and informed?
An outside mediator, moderator, or security
MESSAGING ABOUT If you determine that you were targeted because
provider may be necessary for this process as of the latter, you need to assess what you can do
objectivity is hard to maintain. THE BREACH IN to change your reputation and public perception
of your company.
THE AFTERMATH.ASHLEY MADISON
Reputation is everything, especially when and chief technology officer of the company
yours attracts “vigilante” hacking groups. in April 2017, made a point to publicise the
security measures they implemented following
Ashley Madison, or The Ashley Madison the breach: two factor authentication, a bug
Agency under the parent company Ruby Corp, bounty program, adherence to the NIST
suffered a massive security breach in 2015 cybersecurity standards, a no-third party policy
that exposed over 300 GB of user data. This when it comes to user’s information, and
included users’ real names, banking data, new chief information and security officers.
credit card transactions, and secret sexual “Security and discretion” were described
fantasies. among Buell’s key focuses for 2018.
The vigilante hacking group, ‘The Impact
Team’, demanded a ransom for Ashley
Madison’s user’s data, as a punishment for the
company not keeping the data secure. This
“ASHLEY’S CORE
wasn’t paid and the ramifications of the data
breach were far reaching, impacting both the
DIFFERENTIATOR
business and its users, leading to numerous
“[r]esignations, divorces and suicides.” [7] IS DISCRETION.”
According to the Federal Trade Commission RUBEN BUELL,
(FTC) complaint post-hack, Ashley Madison FORMER PRESIDENT & CTO,
“had no written information security policy,
no reasonable access controls, inadequate RUBY (ASHLEY MADISON)
security training of employees, no knowledge
of whether third-party service providers were This seems to have worked; by gradually
using reasonable security measures, and rebuilding their reputation and focussing
no measures to monitor the effectiveness their efforts on regaining public trust they are
of their system security.” [7] Part of the FTC reported to have “191,000 daily active users
settlement required that the company add (defined as members who have exchanged
“a comprehensive data-security program, messages) and 1.4 million new connections
including third-party assessments.” made each month.” [8]
In the years since the cyber attack, Ashley Whether you agree with the platform or
Madison have been quietly recuperating and not, their bounceback after the data breach
evolving. They have by no means done a and subsequent success says a lot for their
perfect job at post-breach recovery, but the recovery and evolution.
intention is there. They have defined, and now
understand, why they were a target - both
reputational and ease of access. Importantly,
they have put the groundwork in to repair
their damaged business.
In a major change, Ashley Madison have
realigned their central message. They
now exist to help those in loveless/sexless
marriages, those going through divorce and
illness. Ruben Buell, who became presidentIf handled incorrectly data breaches can
break a company financially, irreparably
damage reputation, or have devastating
consequences for customers. And they
can happen to any business. Curating and Bibliography
implementing a communications and PR [1] British Airways faces record £183m fine for data breach, BBC News (8 July 2019).
strategy for managing an unpredictable [2] Cyber Crisis Management Plan for countering cyber attacks and cyber terrorism, The Chartered Institute of
cyber attack is paramount for a businesses’ Procurement & Supply (CIPS), 2018.
survival of, and recovery from, a data breach. [3] MyFitnessPal: Notice of Data Breach, MyFitnessPal (29 March 2018).
[4] Hacked MyFitnessPal Data Goes on Sale on the Dark Web—One Year After the Breach, Fortune (14 February 2019).
[5] 620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts, The Register (11
By doing what you can to ensure cyber February 2019).
resilience through adequately anticipating, [6] Sony bosses apologise over theft of data from PlayStation Network, The Guardian (1 May 2011).
stoically withstanding, efficiently containing, [7] Life after the Ashley Madison affair, The Guardian (28 February 2016).
effectively recovering, and evolving with [8] Ashley Madison attempts to regain the public’s trust, engadget.com (29 March 2018).
humility, brands can safeguard themselves.
And ultimately, and fundamentally more
importantly, businesses can protect their
customer’s data.Signal is the A.I. powered media monitoring platform delivering strategic insights that help you make the best possible decisions. For more information email hello@signal-ai.com or call us on +44 (0) 20 3828 8200 (UK and rest of world) or +1 917 398 5931 (US).
You can also read
