The nature of security, its definition and importance to every enterprise and global market, has fundamentally changed. Through concurrent trends such as social network advertising, the rise of mobile and increasing consumer breaches, along with events such as Edward Snowden’s NSA leak, individuals now are aware of the value of their data and expect corporations to be held accountable. Brands of all sizes need to consider security not as insurance or an IT issue but as a fundamental strategic initiative that requires vigilance and crisis communications planning.
C-level execs, especially board members, rightfully are becoming more concerned and aware. The rivers of data flowing underneath businesses they run are at legitimate risk. The damage from breaches can run into the hundreds of millions of dollars when totaling the financial impact of what comes with a breach today: customer and activist investor lawsuits, initial and ongoing investigations and the strain on technological and human capital.
Missing the Target
Target’s CEO famously lost his position in May 2014 because he was found negligent for failing to ensure the right data management and security protocols were in place. Target was hacked late in 2013, resulting in the theft of 40 million payment cards and 70 million other records. Owning the error and committing to working on immediate solutions weren’t good enough answers for the Target board.
Just consider the damage to Target. Customers and banks filed more than 90 lawsuits for negligence and compensatory damages. That’s in addition to other costs, which analysts estimate could run into the billions. Thus far, Target has paid out more than $120 million to settle lawsuits. The firm’s February 2015 earnings report says the net expense of the breach stands at $162 million. The total reached a gross expense of $191 million, according to the same report. The effect on the C-suite was dramatic. CIO Beth Jacob resigned in March 2014. CEO and president Gregg Steinhafel did the same two months later.
The market is starting to have more conversations around brands and their ability, or inability, to be secure outside of the security industry cloister.
What Communicators Can Do
1. Reevaluate the definition of a crisis communications plan. This includes every brand from P&G to Boeing to Burberry —everyone in enterprise leadership has to be thinking about what defines and requires a security crisis plan. It’s not just physical or logical in silos. It’s about the digital assets that live in every part of your business and how you’re going to holistically protect and maintain those digital assets.
2. Lead the conversation. If you’re at the C-level of a P&G, ConAgra or Wells Fargo, what do you know about your data security posture? Historically, it wasn’t a focus or priority. It was check-boxed by hiring smart, trusted IT people to make sure the lights were on, that business users were productive and general protections were in place. That’s no longer a safe assumption or approach. Make security a top business issue. As stewards of the brand, communications employees need to be a part of driving these conversations at the C-level.
Industries like healthcare and pharma already are conditioned to have some form of crisis communication plan in place due to regulations and FDA standards. No reputable pharmaceutical company, for example, would operate without a strongly vetted crisis communications plan, because drugs can impact lives directly, a responsibility taken very seriously in that industry. When you step outside of these types of industries, however, crisis plans are not always part of the natural thought process.
Cybersecurity is Everyone’s Business
How this is playing out for brands outside of traditionally security-focused industries has evolved. Consider the public awareness around E. coli and food recalls. Today, consumers know who’s behind those issues given the rise of social media, and are changing buying behavior accordingly. People can more easily find out about issues and are making more informed choices about brands they support. Their voices are being heard as never before, and the C-suite needs to be prepared for when, not if, a public crisis hits the data behind its core products and services.
3. Prepare for the inevitable. Given the market and technology realities, brands will get more equity and value by owning the situation and having a vetted escalation plan in place.Bloggers like Ryan Naraine have in the past given security vendors credit publicly for how they addressed breaches or issues. This type of public barometer is becoming even more important. The companies bloggers praised had a security issue escalation plan reminiscent of what a pharmaceutical or consumer packaged goods company would have for a potential recall. This needs to be the norm for all companies.
We talk about how social media has created a “flame up/flame down” reality. Initially, an issue will gain airtime and everyone will seem to be piling on, only for it to disappear within a day or so. This is the positive and negative of social—it brings a shining beacon to an issue but then moves so fast that issues get washed away in the next wave.
Social Changes News Cycle on Security
With things like Heartbleed and Snowden, though, the importance and rising consciousness of security to businesses and individuals is changing that equation. You can’t expect the same rules of engagement. If something flames up in security, it’s not automatically going to flame down. In truth, you should be prepared for the opposite, since security issues seem to have a common and significant long tail effect that goes for months or sometimes years (discovery, remediation, historical comparison, benchmark for new issues).
4. Gauge the response. Not every issue requires a full and high-alert retort.You still need to know whether an issue is important strategically before responding. That balance is not always evident. It takes constant monitoring and adjustment to the tone and tenor of the public conversation. And you always have to balance out what it will mean for your customers and partners behind the scenes. This is where a prepared crisis and escalation plan (if well-conceived) pays significant dividends, since it would include a scale to determine the event’s nature and potential. By proxy, the plan gives you a sense of the seriousness via threshold questions such as, “Is this a core issue that goes to the heart of the product we deliver and is putting our customer at risk? Is this a nuisance? Is this a kiddie sort of thing where there’s just someone defacing a website?”
For example, your team identifies a minor issue with no real data exposure. If you see conversations taking place about transparency, you could put up a quick blog post, address the technical aspects of the issue and have your response team conduct short-term monitoring. You wouldn’t need to aggressively activate and directly engage on social, since that would only continue the conversation. Having these filters to put issues through keeps you from overreacting and running the risk of giving a minor item more credence than it deserves.
5. Deploy a data security escalation plan in addition to any other crisis plan.
A market conversation spurred by the 2014 Gartner Security Summit focused on response teams, making the case for executive leadership beyond the Chief of Information Security. This evolution would create a specific role solely focused on digital risk, driven by the reality that security is embedded into every part of the business. This person would be responsible for making sure every asset in the organization has something that’s built into it that provides security.
Whether it’s financial data or core IP, manufacturing line production data or your SaaS portal for sales leads, in the end it’s all data and it’s all at risk. It’s time for all brands to reorient their definition of security and risk, address the need for revamped crisis communications policies and plan for the day when digital risk is a regular item on the board of directors’ monthly meeting.
CONTACT: [email protected]
What’s My Data Security Communications Crisis Plan?
There are plenty of historical cases in all industries where companies used well-designed crisis plans with defined decision trees and escalation processes to quickly assess, address and respond to crises. A security crisis communications plan should look familiar and address the following: Who’s on the initial call-down list, and in what order? What’s the expected response time, internally and externally? Do we have pre-drafted responses ready for customers/partners/investors? Do we have the right communication channels in place? (email, portals, releases) How quickly do we tell sales? How quickly do we tell support? What will be our ongoing communication cadence? Who is at the top of the decision tree? Who is the main spokesperson? There also needs to be an understanding that if you experience one of these episodes, it likely will have multiple phases (discovery, remediation, historical comparison, benchmark for new issues) that will go on for weeks or months. Being properly staffed and setting aside the appropriate bandwidth to monitor, report and mitigate these issues with C-level involvement and buy-in changes crisis communications from a period-in-time issue into a longer-term, ongoing element of the business conversation.
This article originally appeared in the March 21, 2016 issue of PR News. Read more subscriber-only content by becoming a PR News subscriber today.