We Have a Failure to Communicate

“Time is burning,” Mr. Ben-Oni said. “Understand, this is really a war — with offense on one side, and institutions, organizations and schools on the other, defending against an unknown adversary.” Mr. Ben-Oni, quoted in a recent article in The New York Times on cybersecurity, is the global chief information officer at IDT.

A data breach is like a bank robbery executed by ghosts. It’s hard to envision and even harder to prepare. The average cost of a data breach in the US is now over $7.9 million according to research by the Ponemon Institute. Every company is at risk but few are fully prepared.

The component that often gets overlooked is communications. Your IT manager may have a cyber-defense prepared, but what are you going to say to your customers? How will you respond to media inquiries? On today’s ideological battlefield, conversation is one of the most powerful assets your company has. And the content of the conversation is its fuel. You cannot defend your company in response to a cyberattack unless you have a communication strategy in place; one that works in tandem with your cyber security plan.

Over 60% of SMBs are out of business within 6 months of a cyberattack

It’s hard to envision, but a single cyberattack can easily put you out of business. Fortune 500 companies have the resources to survive a data breach, even when, like Equifax, they have weak communications response plans. Small to mid-sized businesses (SMBS) are more exposed. It’s hard to project the financial impact of a data breach because information technology is constantly evolving. It’s easier to understand how poor communication can undermine your data breech defense plan. How many IT professionals in your company are prepared to explain a data breach in layman’s terms and talk directly to customers or the media?

A cyberattack can destroy your company’s reputation, eroding trust and faith in its products and services. Most SMBS are completely unprepared for managing the reputational risk and brand/business damage related to a cyber crisis. According to the Ponemon Institute (2016), 55% of small to mid-sized businesses have experienced an attack; only 14% considered their defense adequate.

U.S. Secret Service cybersecurity simulation underscores the importance of communications planning

On January 9th, 2018, The U.S. Secret Service Electronic Crimes Task Force conducted a cybersecurity simulation exercise in Atlanta to underscore the need for U.S. businesses and institutions to prepare for cyber-warfare. In attendance, besides various federal, state and local law enforcement officials, were representatives from major banks, universities, and financial data companies along with logistics, healthcare, and communications providers. They were all concerned with how prepared they were to deal with the inevitability of a data breach. In fact, several of the attendees’ companies had been victims of major breaches.

During the third and final segment on communication, something interesting happened. The facilitator – Matt Chevraux – an Assistant Special Agent with the Secret Service Office of Investigations, Cybersecurity Strategy and Outreach, asked a series of questions regarding the structure of communications reporting; their confidence that their internal and external communications professionals understood the ins and outs of cybersecurity related issues and their ability to adequately represent the organization to stakeholders and the media.

A request for a show of hands on confidence produced no arm-raising, as did a question on whether key individuals were media-trained on the issue. A query on in-place procedures produced only a couple of affirmative responses. Clearly, there was a collective feeling that organizations were not doing enough to address some very real and threatening cybersecurity issues.

The group included a number of Fortune 100 and 500 companies. Think about smaller enterprises and their level of communications preparedness. In many cases it’s nonexistent. Those of us in the cybersecurity arena will tell you that if a bad actor wants to get into your network, he will find a way to do so. It’s not a matter of if or when you’ll suffer a breach; more likely you’ve already been breached. We learned during the simulation exercise that the average time between the intrusion and discovery (dwell time) is 272 days, which means most companies have no idea who is rooting through their network.

A communications plan is essential to shield your business before, during and after a cyberattack

This brings us to the role of communications. The financial repercussions of a data breach that is handled poorly can and will have long-term implications for your brand/company. Lack of comprehensive planning, training and ineffective messaging can result in insurmountable damage.

Consider the high-profile case of Equifax or the recent…. The breach was bad, but the communication (or lack thereof) was worse, particularly for a credit-reporting agency. Add sentence with a few specifics. What can a company do to avoid the negative press and subsequent brand erosion that mushrooms with missteps in communication?

Plan ahead - don’t wait for a data breach to prepare your response

Communications and cybersecurity management must work in lockstep during a crisis. It is the only way to build a comprehensive defense (and offense) against the consequences of a cyberattack. Cybersecurity professionals agree it takes an average of two-to-three weeks to determine the extent of the damage in a cyber security attack. Therefore, you need to prepare and implement a detailed communications plan that addresses multiple scenarios and multiple stakeholders now.

The five critical steps in communications planning

There are five critical steps a company must take to proactively prepare for a data breach:

  1. Engage a reputation management expert who will work with you and your cybersecurity team before a data breach happens.
  2. Jointly conduct (with whom) an audit of your cybersecurity preparedness.
  3. Develop and implement a comprehensive communications response plan tied to your technical procedures. Include legal, insurance, risk management, law enforcement and other key stakeholders.
  4. Select and media-train appropriate spokespeople. Conduct tabletop exercises and constantly update them. Work hand-in-hand (with whom) to train employees on proper procedures.
  5. Stay informed, stay vigilant.

Every business is at risk of a data breech, but you don’t have to be caught without answers. Customers see fires and floods as destructive events you cannot anticipate. They understand that robberies are largely out of your control. They do not understand how data breeches happen, holding businesses fully accountable for the loss of their data. It’s as if you left the doors open and went home. You have to have answers, and they have to be really good.

There is nothing that can provide 100% lockdown security. But there is a way you can be 100% certain you know what to say and be far more likely to save your business.

Salus is a cybersecurity reputation management firm providing SMBs with a user-friendly software platform and unrivaled expertise to protect your most critical assets in a cyber-attack scenario.