Last week, I was one of the panellists at FireEye’s annual Cyber Defense Live event, the cyber security giant’s regional annual gathering of customers and partners. The panel involved real-life cyber-attack scenarios while the audience determines the next steps an organization should take from different points of view: a cyber security consultant, a lawyer and reputation management expert (me!).
I can’t tell you what excites me more: the fact that one of the world’s leading cyber security agencies sees the importance of cyber security from a reputational point of view (and makes the connection between reputation and a business’s bottom line) OR the chance to explain to some of the region’s leading government agencies and enterprises how to make realistic steps when it comes to staying ahead of a cyberattack from a PR standpoint.
These concepts are not new to Active DMC; we’ve been in the realm of cyber security almost since our inception. So much so, that we were recently selected to be a part of Code Red, a global network of specialized IT Security PR agencies. The agencies behind Code Red have been hand-picked for their experience and knowledge of the IT security marketplace. I’m thrilled for this partnership as we work together to build thought leadership in cyber security PR, including quarterly regional infographics on the state of the industry and a series of podcasts with our cyber security clients (stay tuned!). This industry knowledge and expertise will no doubt trickle down to our client base as we continue to share best practices and industry knowledge across the network.
What’s clear to all of us is that the connection between IT security and reputation is so simple: when personal data has been exposed or stolen, customers feel betrayed. The time is now for organizations to make this connection a business priority. Various studies have shown that as many as one third of customers will stop doing business with an organization after a data breach. Another study by Gemalto found 70% of 10,000 surveyed said they would stop doing business with a company that had experienced a data breach.
I will repeat what our clients always say: cyber attacks are inevitable. There are realistic steps any organization can take to ensure smooth communications, transparency and even increased trust. Among these are:
- Be the first to break the news – If you don’t take control, you leave your reputation in someone else’s hands. Being first also proves transparency between you and the public.
- Provide real-time updates – Develop a system AHEAD of a breach that allows for continuous updates to both your customers, employees and media. Think how you are monitoring this info, what channels will you share it, who needs to be involved at each stage (CEO, CIO, legal, PR), etc. If you don’t already have this process in place, the time is now!
- Wait until you have the facts – It’s completely OK to say, “we don’t know anymore at this point, but we are working to hard uncover all the facts and will keep everyone updated.” Please don’t make any definitive statements unless you are 100% sure. Going back on your word will only make the situation – and your trust – worse.
- Develop internal processes for handling media – Make sure your employees are aware of how to handle incoming media requests. In short, the only people that should speak with media are the designated spokespeople. And the only person handling that process should be the PR/marketing lead. Make sure your employees know what to do when a journalist calls.
When handled correctly, organizations can come out on top. Take Home Depot for example, the largest home improvement retailer in the United States. Their breach saw a compromise of 65 million customer accounts. After successful communications and built up trust, Home Depot’s stock decreased minimally one week after the announcement and, by the end of the quarter, showed a 21 percent increase in earnings per share. Target’s breach, culminating in the loss of over 100 million customer records, saw the retailer’s stock drop 10 percent afterwards. But by February the retailer had experienced its highest percentage stock price regain in five years.
In short, make communications as important as any other aspect of your cyber attack defense strategy. Failing to do so can mean grave consequences your reputation and, undoubtedly, your bottom line.