What Brand Communicators Need to Know About Cybersecurity

Anna Keeve, PR Manager, ESET N. America

Forbes recently reported that cybersecurity should be a company’s number-one business priority in 2017. What this translates into for PR pros is that cybersecurity crisis planning should be your No. 1 priority.

Cybercrime is a multi-billion-dollar industry and growing. Aside from the average cost of $2 million per breach for a company in the U.S., there is, of course, the cost to your reputation, which is directly connected to your bottom line. If the latest ransomware attack, WannaCry, which hit more than 150 countries and 200,000 businesses, has not sounded the alarm at your brand, I am unsure what will.

So where are you in your cyber crisis planning? Maybe you have had a tabletop exercise where you practice what will happen in the case of a cybersecurity situation, or you have a good understanding and a procedural plan. And maybe you have thought about it, but it is getting pushed down your to-do list. Wherever you are in the process, from “not thought about it” to “I have a full-fledged plan,” the tips below will help bring your cyber-smarts up to speed.

1. Know the different types of attacks and some basic cybersecurity terminology.

Data breach: A data breach usually is a serious situation where personal, sensitive data is exposed to an unauthorized party. As you know, it usually is important to choose words carefully. That certainly is the case when dealing with cybersecurity. For example, there is a large difference between a data breach and a security incident (as described below). As data breaches go, personal, sensitive information might be credit card data, social security numbers, phone numbers, birth dates, etc. If you are in an industry that is subject to compliance—like HIPAA if you are in healthcare, or PCI if you transmit financial data—you are held to tight standards for handling personally identifiable data, and how and when you must disclose to the public if you’ve suffered a breach.

Security incident: This indicates there may have been a threat to computer security or data. What you call an incident matters in your communication. A security incident is not necessarily a data breach, or that a hack was successful—it might mean attempted malicious activity. Initially you might report an incident at the onset of a cyber situation, and it could evolve into something else once you get more details.

Compromise: This is a vague term, but in the cyber world, if you are compromised it typically means something unintended occurred. If could be anything from a laptop theft to a large amount of data being stolen from your network. Basically, some sort of unfavorable action took place. For example, someone accessed your Twitter account through a third-party app and tweeted out explicit content from your handle. In this case your Twitter account was compromised.

Vulnerability: A vulnerability is a weakness in a system that can leave it open to a cyberattack, or that has the potential to be exploited. IT pros try to reduce vulnerabilities to keep hackers and cybercriminals from entering. Sometimes there may be a vulnerability in a software program you are running and hackers will write computer programs to exploit, or get into, your systems through that vulnerability.

Exploit:An exploit is used to take advantage of a vulnerability. For example, a piece of software or series of commands might be an exploit that takes advantage of a vulnerability. So the exploit will be used to enter into the system through the vulnerability. For example, your CRM software might have a vulnerability, and if a hacker discovers it he or she might get in and steal your customer data. If you are a retailer, you have a point-of-sale (POS) system used for credit card transactions. Since POS systems are connected to the internet and run software, they may contain exploitable vulnerabilities. Often POS systems are targets of cyberattacks. A few examples include major breaches at Wendy’s, Target. and most recently at Chipotle and Sears.

Let’s use these in a sentence:

“On March 23rd, a malicious actor exploited a vulnerability in our network resulting in a small portion of our customer information being compromised.”

“A vulnerability in our POS system caused some customer credit card information to be exposed. We are conducting an investigation and will be providing customers with an update as soon as we know more.”

You are not expected to be a technical expert, so have a resource in your company, or the company you represent, who will be assisting you with technical details used in communicating in the case of a breach. This might be the Chief Technology Officer, Chief Privacy Officer, IT Director or an equivalent. Legal counsel should be heavily involved in these types of communications as well.

Ransomware: This type of cyberattack has been skyrocketing, leaving the business sector to deal with a very specific type of problem: Hackers break into a company’s system and hold its data (or something digitally controlled) for ransom. The hacker will return the data only when the company pays a demanded amount of money, typically asked for in a digital currency, like Bitcoin. If the brand pays, it might have to deal with public repercussions and backlash since paying cybercriminals is sometimes frowned upon. Hopefully your company has data back-ups and necessary technology in place so you can restore the ransomed assets and avoid this conundrum. Ransomware is a major issue now, and there are cases that occur that are never publicly reported.

2. Don’t call anything a sophisticated attack if it is unsophisticated.Often a company may want to call a cyberattack sophisticated to avoid some of the blame, or appear as though it was not at fault. Be careful in throwing around this word; use it only when warranted. Your technical advisors—be it the CTO or a forensics firm that may be hired—can help you assess the level of sophistication so you can determine whether this word—or a similar term—is actually representative of the attack and thus appropriate for use.

3. Be careful about finger pointing: Only say it’s not your fault if it truly is not.When you think you are the victim and it is not your fault, think again. When communicating around a security incident or breach, it is very easy to look defensive, or appear as though you are not taking ownership for the problem. Yes, you may have been the victim of cybercrime, but your customers (or employees, or whoever) are the true victims in the public’s eye. The way you discuss the crime and/or communicate should always reflect that.

After all, the public always will side with victims and contend that the organization could have done more, which often is the case. You could have dedicated more resources to security or encrypted the data. Vetting of third-party vendors that have credentials and/or access to your data could have been done with more care. You could have been more careful to update your software.

If you must respond to a security issue, this will be part of what you need to think about and strike the appropriate balance. If something is not your fault, it should be clearly stated (only if you know this to be 100% true)—however, even if at first glance it appears not to be the case, you may be more responsible than you think. Often a hacker may access your network through a vendor. (Take Target, for example: Hackers were able to enter via the heating, ventilation and cooling vendor). However, it is still up to your brand to vet the security practices of vendors, so the blame still falls on you.

4. Ask about your cyber insurance policy: Cyber insurance is a must-have for organizations. These policies cover expenses and costs in case you suffer a breach and certain security incidents. Here is the important part for communicators and/or your brand: Most cyber insurance policies have a clause that covers costs of crisis PR (e.g., if your brand engages a company to help with crisis PR). So if you have not already, you should: 1. Make sure that PR is part of the policy and 2. Ask to have your agency listed if you have one.

One of the most challenging things about being in PR is reacting to unforeseen events. Usually, those unforeseen events are not fun and fluffy; they are serious and can devastate your brand and bottom line. Often the entire weight of the situation rests on your shoulders, and if you are not prepared, you panic, which can lead to a bad or misinformed judgment call.

NOTE: This article ran originally in PR News, June 5, 2017. For subscription information, please visit: http://www.prnewsonline.com/about/info

CONTACT: anna.keeve@eset.com    @annakeeve