09 May CIISF – Is Your Business Ready to Weather the PR Storm of a Data Breach?
Nichole was delighted to join the speaker panel for the Channel Islands Information Security Forum’s inaugural Guernsey Cyber Security Conference earlier this month. The event offered an unrivalled opportunity to explore how Guernsey can put effective measures in place to safeguard its businesses against a data breach.
Keynote speaker David Ferbrache OBE shared insights into 2019 cyber security trends while Bruce Hallas explored the Re-thinking the Human Factor #RHF movement.
Nichole’s session focused on ‘The Impact of a Data Breach on Brand Reputation’ and identified how businesses can ensure that, when the worst happens and a cybersecurity breach happens, they are prepared to minimise its reputational impact.
Here are just a few insights that Nichole shared with those attending the Conference.
Measuring the Impact of a Data Breach
According to recent research, 31 per cent of consumers discontinue their relationship with a brand or company following a data breach, but that’s just the tip of the iceberg.
Stock prices also tend to drop an average of five per cent when a data breach is disclosed, and in fact that could be a modest estimate – Equifax stock dropped 35 per cent after its 2017 breach.
These statistics are partly due to the negative publicity generated from a data breach, which significantly impacts an organisation’s reputation. It’s not just national headlines that generate noise, trade media love to run these stories too, and bad news hangs around online for a long time.
However, it’s not all doom and gloom; firms that are prepared to communicate proactively and use best-practice communications models during a crisis situation will minimise financial and reputational damage.
The Importance of Reputation
To understand how reputations are broken, it’s important to understand how they are formed and, more importantly, protected.
Reputation is what other people say and think about you; your customers’ thoughts, feelings and impressions about the organisation create its reputation.
This simple equation sums it up succinctly:
Performance + Behaviour x Communication = Reputation
- Performance is judged through the quality of a service or product, its value for money and whether it delivers against its promise
- Corporate behaviour is often most on display when things go wrong. Does the company ‘do the right thing’ and quickly make amends for its mistakes, or does it pass the buck or wriggle out of responsibility? Corporate behaviour is also judged on how it treats:
- Its people;
- Its purpose;
- The environment;
- The community.
- Good communications will tell the story of an organisation, sharing its corporate values and role in the wider world.
When those elements come together in a strategic and planned way, consumers’ response to that reputation equation is trust and goodwill.
The Value of Reputation
Whilst customer response might seem intangible and hard to measure, it’s clear that reputation has tangible economic value.
In fact, according to some measures, at least half of a company’s market value can be attributed to reputation.
Business leaders care about a good reputation because it helps them gain new customers, enter new markets, make strategic alliances and build relationships with regulators and other agencies that allow them to operate.
A data breach is a performance failure and how companies respond to a breach will demonstrate their corporate behaviours, and make or break that consumer trust.
For example, whilst Tesco Bank’s response to the 2016 hack wasn’t flawless, the company moved very quickly to reassure customers they would not lose any money. Conversely, TalkTalk customers were furious to learn about the data breach from media reports, rather than the firm itself.
Put simply, how you communicate throughout a cyber incident will help to increase or minimise the damage to your firm’s reputation.
Learning From Others’ Mistakes
There is a lot we can learn from the big data breaches we’ve seen over the last couple of years. The Equifax response was dubbed a ‘PR disaster’ by Forbes and is a great example of how not to behave…
- Companies that announce news of a data breach quickly help their customers to make informed decisions about their data. It’s an example of good corporate behaviour, but Equifax delayed their announcement, knowing about the breach in July but not informing the public until September.
- Equifax executives sold stock just after the breach was uncovered, claiming they didn’t know about the breach. Whether that is true or not, good internal communications would have prevented this.
- Equally, top management claimed to be unaware of the breach. Informing senior executives of a problem quickly is another pillar of good crisis communications.
- The PR crisis playbook calls for a clear apology and assumption of responsibility as well as a commitment to resolving the problem. Equifax’s press release was full of vague wording, insincere corporate jargon and passive language.
- The day after the breach was announced, Equifax’s Twitter feed made a cheerful announcement: ‘Happy Friday,’ it said, ‘you’ve got Stevie ready and willing to help you.’ Twitter users didn’t take kindly to the casual cheery tone. All other social media, PR and advertising activity should be paused and re-evaluated.
Context is King
One factor that cannot be overlooked in crisis response is context; for example, the mood of the nation and current media agenda can have a big impact on how a crisis develops.
In the context of the Channel Islands, a breach now from a financial services firm would be in the context of negative headlines about beneficial ownership, tax havens and constitutional tussles.
For the UK media, this context could make a minor data breach a much more interesting story for their readers.
We know that no cyber defence can be 100 per cent effective and that developing the ability to respond is critical. The preparation must include the ability to communicate quickly – and well.
Nichole’s observations of several recent high-profile data breaches highlight some best practice points:
- Communicating quickly and openly reduces speculation.
- Firms that are quick to apologise to those affected seem to recover faster than those who do not.
- Firms that use a senior spokesperson, such as the CEO, recover their share price faster than those that do not.
- Organisations which have an active online and social media presence are able to use those communications channels to their advantage.
‘No Comment’ is Not an Option
Those who do NOT engage proactively with the media risk misinformation being published, which leads to the need for correcting that information and thus extending news coverage unnecessarily.
Saying ‘no comment’ just creates an information vacuum that will be filled with conjecture and rumours.
Senior figures speaking honestly about what the organisation has learnt and the actions it will take helps to move press coverage onto the repair and rebuild phase.
Good communications are fundamental to what should be a key aim in a firm’s cyber risk strategy: maintaining business continuity.
This requires planning, training and testing.
So, alongside other the other key elements of cyber response, such as effective leadership and governance, technology and operations, data management, and compliance with legal and regulatory requirements, do you have a plan for protecting your firm’s reputation?
What Can You Do?
Think about how to incorporate crisis communications planning into your cybersecurity strategy and preparedness and get in touch to find out how to communicate well in a data breach, email@example.com and 01481 729 229.