Securing the Digital World

Planning for a Breach Crisis

Sep 22, 2016 | by Holly Rollo, CMO |

If your company doesn't have a crisis communication function and doesn't have a breach readiness plan, in the event of a public security incident it's highly likely the marketing department will be the one everyone looks at when the CEO says 'now what do we do?'

How do we manage the media? What do we tell customers, analysts, investors? Which executives will be interviewed? Are the spokespeople trained and credible? Twitter is on fire. Legal is telling everyone not to say anything and your iPhone is ringing like it's your birthday. Maybe you just started at this new company as the marketing lead and while you were busy implementing the new modern marketing engine, trying to recruit top talent and rebranding the company, did you remember to put together a crisis communications plan?

There is nothing worse for a company than trying to figure out how to communicate and manage the communication about a data breach as it is happening.

Preparing for and managing a breach must be part of a company's overall security strategy, like a life insurance policy you hope to never have to use. What's important is that there is a breach response plan and in that plan there is a communication component. First, know your disclosure policy, (well first, do you have one, and do people understand it), build for the worst case scenario and then work backwards from there. It's important for the entire executive team to understand what gets disclosed to whom, what constitutes or gates disclosures, how it is communicated, who communicates it, who are the spokespeople for which aspects of the communication, how are customers contacted, and what the internal messages are.

According to a recent Ponemon Institute study, consumers expect cash compensation after a breach and data breaches are in the top 3 of incidents that affect reputation.

Also, reputational harm can be caused by compromises that aren't actually real. Here's a hypothetical scenario (similar to something I've witnessed but genericized to protect everyone). A hot new IPO creates the latest gadget; and they are going into the Christmas season. At the same time a hacker goes into a forum and brags that the device can be hacked to a closed group. Someone else posts on a different forum and a newspaper picks it up and a news cycle begins. The company, who doesn't have a Chief Security Officer or a sophisticated security program, denies it can be hacked and gives a few technical reasons why - which hackers love to take as challenges. Hacker forums go nuts and hackers try to compromise the device, with some claiming success. The mainstream media doesn't know the technical hairs being split on whether it's a hack or not. Legal advises that no one says anything so rumors aren't managed. Customer service gets flooded with calls; stock goes down, sales stall...all during the holiday season and closing out Q4...and there may have never actually been an intrusion.

This kind of story is why EVERY company should think through breach scenarios and at least create a communication plan. News cycles don't wait for investigation and fact finding, so have a game plan.

Are you heading to RSA Charge next month? If so, you'll want to check out this session: Cyber-Jolt 2016: Corporate Breach Wargame. As a SOC team you will investigate an evolving incident and will then need to report to executive management on the incident as it develops. As corporate affairs you will need to brief the media. As the Chief Risk Officer you will need brief the board and as CEO give evidence before US Congress. This brings everything to a full circle.