Sandra Fathi, President, Affect
The year 2014 was riddled with highly publicized data security breaches of all shapes and sizes, affecting notable brands such as Sony, Target, Neiman Marcus, Home Depot, HealthCare.gov and JP Morgan Chase. Writing in PRSA’s Tactics, Sandra Fathi provided four guidelines for organizations to protect brand reputation in the event of a security breach, and these guidelines remain highly relevant today.
1. Develop a fully locked and loaded response plan.
In the digital age, it is essential to have a cyber attack plan in place as part of an organization’s crisis management strategy. Companies can get ahead of a crisis by leveraging social media to diffuse damaging situations. In order to prepare, be sure to anticipate and understand the kinds of threats that could influence your business and your profession.
There are four phases of crisis communications: readiness, response, reassurance and recovery. In order to properly respond to a crisis, each stage must be ready to go at a moment’s notice — develop materials such as messages and prepared statements, prepare delivery channels like hotlines and social media platforms and train employees regarding awareness and organizational procedures.
2. Remember that the customer is the top priority.
Arguably the most important step in maintaining a brand’s image amid a breach is to be honest with customers and inform them about what has occurred — the sooner the better, especially if their personal information is at stake.
In fact, 47 states have Security Breach Notification Laws that govern communication with customers in the face of a security breach, including the timeline for those communications. Several weeks elapsed before Target released an official statement to their customers and, as a result, it experienced massive backlash from customers, other organizations and the media.
Adam Levin, chairman and founder of IDT911, a provider of data-risk and identity-management services, believes that every company needs to demonstrate three things in the wake of a data breach. “Urgency, transparency and empathy are all critical. I don’t think [Target] showed enough of those three,” Levin said in an interview with ABCNews.com. Not being upfront with customers can result in a loss of confidence in the brand that not only could hinder the company’s reputation, but also could lead to a loss in revenue.
3. Monitor the situation in real-time.
Social media can be a powerful tool but “with great power comes great responsibility.” While positive engagements boost a brand’s respect, companies must always monitor for negative interactions in real-time and be even more stringent during a security breach, as customers will turn to social media to respond to situations, regardless of their allegiance to the brand.
Develop a social media response map that outlines anticipated situations and correlated standard responses to avoid a last minute shuffle. Don’t shy away from angry customers that post adverse comments. And depending on the situation, it may be worthwhile to engage with these individuals in a private forum and resolve their concerns, taking the negative sentiments offline.
4. Don’t repeat the same mistakes.
For brands, it is especially important to avoid making the same mistakes twice. Customers may or may not forgive a first offense, so a second go-around is even harder to rebound from. Companies must carefully document and analyze each breach to identify how it happened, why it happened and how to prevent such an event in the future. Consider changing security vendors, deploying new software, retraining staff and amending company policies. It is also important to communicate these changes to customer to reassure them that a similar breach will not reoccur.
According to Radware, a global provider of application delivery and application security solutions, “Cyber breaches, specifically Distributed Denial of Service (DDoS) attacks, will continue to be a serious issue as attackers become more agile and their tools become more sophisticated.” The company’s 2013 Global Application and Network Security Report provides more detailed information on security trends.
As cyber attacks continue to become more and more sophisticated, it is only a question of when — not if — a company will experience some type of security breach. Most communicators do not have control over the systems and procedures that govern security in their own organizations. However, preparing a crisis communications plan prior to a breach can help ensure that companies protect their reputations, customer relationships and revenue in the long term.
This article originally appeared in the Winter 2014 issue of PRSA’s Tactics.