Dropbox and iPhone hacks highlight the need for brands to plan for cybercrime
Today's news that 68 million Dropbox user credentials from 2012 were exposed, and last week's reports that the iPhone could be hacked with a single click, are the latest cyber security challenge to face major brands. Knowing what to say and when is one of the biggest challenges for any brand which discovers that it has been hacked.
When Sony remained tight lipped in the aftermath of a cyber attack on its PlayStation Network it was castigated for withholding important information from its customers. When Talk Talk quickly went public, it was criticised for its vague response.
So what should a business or brand do when (rather than if) it discovers it has been the victim of cyber crime? Here are 10 steps you can take to ensure your reputation is protected in the event of an attack.
1. Confirm legal and regulatory requirements
Knowing how much to say and when is one of the trickiest decisions to make in the event of a data breach. But the starting point should always be the regulatory and legal requirements for disclosure. Make sure that you know what is required of your business.
2. Conduct a cyber reputational risk analysis
‘Cyber crime’ covers a multitude of sins and different kinds of attack will affect the reputations of brands in different ways. Take time to assess what kinds of cyber attack are most likely to affect your organisation and, crucially, which kind of attack would do most reputational damage.
3. Conduct scenario planning
A quick and effective response to cyber attack is impossible without thought beforehand. Assemble key people in advance of an incident to consider how an attack could play out and your response to it. Identify information, capability, resource, knowledge and training gaps to be addressed.
4. Create an incident response plan
Based on your reputational risk analysis and scenario planning, build a cyber incident response plan (either as a standalone or as an adjunct to your overall crisis management plan).
5. Prepare to communicate
Time is of the essence when cyber crime strikes so planning your communication beforehand is essential. Agree message themes to be used in response to a data breach, identify key stakeholders, determine the best communication channels to reach them and ensure you have their contact details to hand. Pre-prepare core communication materials such as your initial media statement and internal briefing. Work out how you will deploy your social media channels.
6. Build your cyber incident response team
Identify the people who would be critical to responding to a data breach and include them in your response plan. Make sure that you include their out of hours contact details – hackers don’t work from 9 to 5.
7. Discuss response protocols ahead of time
Have key members of your incident response team (IT, legal, marketing, communications, customer service and HR) meet beforehand and agree principles for cyber incident response. Don’t wait until a crisis breaks to find that your communication and legal teams have very different perspectives on what to say and when.
8. Train your spokesperson
Communicating about a data breach is challenging and sensitive: admitting that you don’t know exactly what has happened is uncomfortable, but saying nothing can be the most damaging thing of all. Give your cyber spokespeople media training to ensure they are able to communicate clearly and credibly under pressure.
9. Run cyber exercises
When your planning and training is complete, run a simulation exercise to rehearse your team, test the plan and identify where further improvements can be made. Never wait for a real incident to find out whether your plan works and your team has the skills to succeed.
10. Review and learn
Most businesses will be subjected to a cyber attack at some point. If it happens to your organisation, never resume business as usual without a full review of what happened and actions to be taken as a result. Most reputations can withstand a single incident; multiple failures are harder to defend.
Security and cyber experts are working flat out to develop safeguards and technological solutions to stay one step ahead of the bad guys. Sadly they can never be 100 per cent successful, so planning how brands would communicate in the event of a cyber-attack is essential.
Jonathan Hemus is managing director of crisis management company Insignia. You can follow him on Twitter @jhemusinsignia