Willa Kalaidjian and Kelsey Chastain
Nearly every day, there are new reports of a data breach or cyberattack. Cybercrime is big business – estimated at more than $1.5 trillion profit globally for 2018. Nearly all businesses hold sensitive information and personal data, which means businesses of all sizes – in any industry – can fall victim to a cyberattack. Manufacturers comprise nearly a third of all hacks. Data breaches in the education sector are increasing, and retail and health care are consistent targets.
To a hacker, the size of your business doesn’t matter. Smaller companies are often considered easy targets if security measures are not a priority. In addition, cyber criminals frequently target small-to-medium size businesses to gain access to the networks of larger companies that may be suppliers and vendors to such companies.
With the knowledge that a cyberattack can – and likely will – happen, let’s look at how to prepare, protect and respond to an incident from both a legal and public relations perspective. We'll outline what you should be doing before a cyberattack even happens and steps you can take after a breach to minimize impacts to your business.
It’s important to know your risks, prioritize your assets, identify strategic goals and make a plan to protect your company. All companies should develop and implement a written information security program that describes the safeguards, policies and procedures in place to prevent and respond to a cyberattack. This written policy should be reviewed annually and updated when there are material changes to the business – such as a change in IT systems or the type of information stored – or new developments in laws or industry standards.
Assessing the type of personal and sensitive information a business collects, creates, uses and maintains is crucial for an information security program to be properly tailored to the business' size and industry. A company should review both its employee and customer data as well as information it may share or process under vendor and third-party contracts. Businesses must take reasonable steps to implement appropriate safeguards to protect against unauthorized access to or use of personal information.
Training is essential for ongoing compliance and security efforts, and companies should provide periodic training to employees, contractors and others who have access to sensitive information or IT systems. Think about the last time you heard a story from a friend, colleague or family member about how someone opened an infected email attachment or responded to a fake email. Don’t be that person, and don’t let your employees fall victim either.
Regular risk assessments are another important operational tool for identifying internal and external threats and providing actionable recommendations for improving security. Depending on your industry, contractual obligations or applicable regulations, these assessments may be required. Many organizations choose to annually engage one or more independent third-party auditors to perform these risk assessments, regardless of whether they are required by law or other obligations.
Now is the time to be proactive and prepare for cybersecurity risks to your business. Consult with your legal counsel to prioritize legal steps and ensure you are in compliance with state data protection and privacy laws. It is equally important to work with your insurance broker to evaluate cyber liability insurance appropriate for your business risks. While a comprehensive cyber insurance policy and a clear written security program will help in the event of a breach, you also need a proactive communications plan to support your cybersecurity practices.
Now that you know how to minimize risk and avoid some cyberattacks, we’ll explore what and when you should be communicating. Your business can always prepare for a crisis – any crisis, whether it’s a natural disaster, physical attack or cyberattack.
Plan Before a Crisis
- Draft 2-3 scenarios and all the steps you’d need to take in each one
- Align with your IT team on what the plan is for each scenario and what steps they’ll take to minimize damage and get your business back on track
- For each scenario, prepare these items on the front end:
- A flow chart for point of contact, who’s contacting who and when
- Emails to employees, customers and stakeholders
- A website landing page and message if your website is impacted
- Placeholder messages for social media
- Talking points for the leader(s) of your business
- Mailed letters to affected customers
- A communications channel to be set up on demand for influx of questions/feedback
For each scenario, choose a different audience. Some crises may warrant only internal or stakeholder communication, while others may need wide, public notification.
During a Crisis
- Gather all of the facts
- Deploy simple messaging, aligned through your channels
- Don’t jump to explanations and specifics until you have all of the facts
- Communicate, once you’re aware of an issue, that you’re gathering all of the facts and outline when you expect to communicate more thoroughly
- Say what you’re going to do, then do it (show your audiences they can count on you in a crisis by following through to a resolution)
Immediately Following a Crisis
- Thank your employees, customers and stakeholders
- Gather and analyze feedback from employees, customers and stakeholders
- Outline corrective action on policy or practices if needed
Long-term Communications After a Crisis
- Identify weaknesses and remaining challenges that need to be addressed
- Determine strengths and opportunities that should be communicated
- Evaluate whether a targeted communications campaign is needed
- Consistently review your crisis communications plan and revise (this applies to your Information Security Policy as well)
Scenarios and proactive planning help prepare you for gaps in cybersecurity, but when in doubt, it’s best to consult a communications expert. Having an experienced contact to lean on will expand your capabilities in a crisis when time and reputation are crucial and position your business to better survive any backlash.
Every day is the best day to make a plan, especially during October, which is National Cyber Security Month.
About Chambliss, Bahner & Stophel, P.C.
Chambliss Law Firm serves as counsel for regional, national and international businesses, financial institutions, local governments, families, individuals, and nonprofit organizations. For more information about the firm, visit chamblisslaw.com.
About Waterhouse Public Relations
Founded in 1992, Waterhouse Public Relations serves a variety of local, regional, national and international clients with an extensive array of communications and marketing services. For more information, visit waterhousepr.com.