PR & COMMS TIPS FOR MANAGING UNPREDICTABLE DATA BREACHES - Signal AI
Page content transcription
If your browser does not render page correctly, please read the page content below
PR & COMMS TIPS FOR MANAGING UNPREDICTABLE DATA BREACHES Words: Caity Dalby Photography: Adobe Stock/Creative Commons
INTROD A BREACH MAY BE UNPREDICTABLE, BUT HOW YOU REACT, COMMUNICATE, UCTION Data breaches can happen at any time, anywhere, and affect any organisation. So how can you ensure that you’re prepared to deal AND RECOVER, SHOULDN’T BE. with cyber attacks as and when they happen? Having a defined, documented and well-distributed internal data breach communications strategy - supporting and enhancing the companies’ wider recovery plan - is key to managing an unpredictable cyber attack. A breach may be unpredictable, but how you react, communicate, and recover, shouldn’t be. And with British Airways being handed a record fine by the Information Commissioner’s Office (ICO) for their 2018 data breach, cyber resilience is of paramount importance. 
Cyber resilience is defined as the ability of an organisation or business to anticipate, withstand, contain, recover, and evolve after a data breach (The Chartered Institute of Procurement & Supply, CIPS).  ANTICIPATE, WITHSTAND, CONTAIN, RECOVER, AND EVOLVE When approaching these principles of cyber resilience, they can be separated into three primary stages: Before, During and After. Planning an extensive communications strategy for each stage, whilst ensuring you have a cohesive plan that touches every point in the business, is the key to cyber resilience. How you utilise your PR and comms to manage an unpredictable cyber attack can be the difference between substantial fines and surviving a data breach with minor reputational damage. We look at the Before, During and After stages in the process of managing an unpredictable cyber attack, with examples of the good, the bad, and the ugly in cyber resilience. RESILIE NCE
BEF ORE PREPARATION, PLANNING AND PEOPLE Preparation and Planning Firstly, you need to define what a “data breach” means to your company. Every company is different in whose data it holds and how it stores that information. There needs to be a definitive idea of what a data breach or cyber attack looks like for your company and a company-wide understanding before you can plan your withstand, contain, THERE NEE recover and evolve strategy. DS Once that is clear, a strategy needs to be TO BE AN built and put in place. This includes conducting ACCEPTANC simulations, a plan for internal responsibility E AT and management during the breach, and the curation of a wide-range of pre-written ALL LEVELS People collateral. These will range from social media THAT posts, marketing campaigns, press releases DESPITE AL The human aspect of managing and general proactive PR outreach, and quotes L THE an unpredictable data breach within or testimonials for key spokespeople. These PREPARATI a company is paramount to the success are all of equal importance and none can work ON of recovery. in isolation; only a holistic and wide-reaching AND PLANN First and foremost, there needs to be communications strategy will be effective. ING an acceptance at all levels that despite all the IN THE WOR preparation and planning in the world, you may LD, still be targeted and suffer from a cyber attack. YOU MAY ST No one is invincible or impervious. ILL BE TARGETED Second, clear planning needs to take place with a broad range of stakeholders. This includes the CEO, CMO, Head of Communications, and beyond. Key decision makers should plan a strategy in advance, matching responsibilities to those who can take action, and outlining how these plans compliment the wider communication strategy. This ensures a brand’s reputation and values are upheld and that consistent messages are delivered across channels.
MYFITNESSPAL On 25 March 2018, 150 million MyFitnessPal customers had their accounts hacked and personal details stolen in a cyber attack on the sports giant - usernames, email addresses, and passwords were compromised. The parent company, Under Armour, stated that they became aware that “an unauthorized party acquired data associated with MyFitnessPal user accounts” in February 2018, a month before the public announcement.  MyFitnessPal are a prime example of inadequate preparation, despite their initial seemingly adequate response. They not only failed to notice that their systems had been hacked for an entire month, but they had neglected to prepare or implement a plan for how to effectively deal with a cyber attack. They didn’t have a way to ensure that their customer’s data would be protected post-data breach. This has come to a head, as it has recently become apparent that some of the hacked data has become available to purchase on the Dark Web a year after the data breach.  In a report from The Register, the hacked data from MyFitnessPal is on sale, alongside credentials from 15 other websites and apps, for less than $20,000 in Bitcoin.  Despite minor encryption of passwords and MyFitnessPal’s instruction to its customers to change their passwords, the selling of these details could cause issues for people who reuse passwords across multiple websites. The ramifications of the MyFitnessPal data breach aren’t as far reaching as others, however the sheer scale of the cyber attack and the continuing problems that are arising display an internal lack of forward planning.
DUR ING CONTROL, CONTAIN AND MONITOR Control and Contain As you work to control and contain an unpredictable cyber attack, there needs to be an admission of clear liability and acknowledgement of responsibility from important messages aren’t missed and the organisation is responding in a timely fashion. This is as much the case with the acknowledgement of liability from the media-facing spokespeople. Saying sorry, company’s spokesperson/people, as it is and knowing when it’s appropriate to say it, with messaging on social media channels zone to your company’s HQ, there needs to is incredibly important. And as enquiries and and the website. be a backup plan. Having a contingency press coverage increase during incidents, plan for when your workforce goes home it’s important to move away from solely As such, you need to have tight control for the day should not be overlooked: reactive action and be seen to be proactive. over your communications channels. organise employees to take shifts, provide This includes stopping scheduled on-the-go resources so employees can continue communications in the form of press to work at home, or bring in outside support. SAYING SORRY releases and marketing campaigns, and making sure multiple people have Another aspect of the control and containment AND KNOWING access to the businesses’ social media accounts. period of managing an unpredictable cyber attack is the ability of your website to handle a dramatic spike in traffic. Websites often WHEN IT’S When communicating messages during a data breach, it’s important to consider see a rise in visits once a data breach has been announced publicly and reported in the APPROPRIATE your audiences, the social media channels they use, the type of content they respond press, as members of the public look to official channels for answers. Ensure all information is “REMEMBER to, and what they will be expecting in this up-to-date by setting aside a plan of action to TO SAY IT, IS situation. Maximising your reach in this way will encourage engagement and awareness; bring in more resources. Factoring in time for training and providing additional equipment THE 3 RS - INCREDIBLY whilst connecting with your audience in a professional and reassuring manner will is useful. RECOGNISE, help contain the fallout of the data breach. In the same vein as providing adequate IMPORTANT. It’s important to be aware and mindful of the feelings of customers that have been directly resources, technical competence within the business or a detailed plan for outsourcing REGRET AND impacted by the data breach. technical support needs to be in place. As Jon Sellors, Head of Corporate Comms at LV=, says you should “Remember the 3 Rs - It’s also key to consider time-zones and out Recovering quickly, with as little reputational damage as possible, is unlikely if you don’t RESOLVE.” recognise, regret and resolve.” of hours support as the flurry of activity and have the fundamental technical competence JON SELLORS, messages won’t stop when your standard to fix what led to the data breach in the first When in the midst of a data breach clear lines operating hours end. And if a crisis begins place and to implement a multi-channel PR HEAD OF CORPORATE of communication are crucial to ensuring out of hours, or surfaces in a different time- and communications strategy. COMMS, LV=
UTILISING A MEDIA MONITORING AND REPUTATION MANAGEMENT PLATFORM, SUCH AS SIGNAL A.I. CAN AUTOMATE THE MONITORING PROCESS AND ALLOW YOU TO RESPOND TO MEDIA COVERAGE IN REAL-TIME. Monitor Staying informed during any kind of crisis, As previously mentioned, it’s important to be truly but especially during a public data breach, global with your cyber resilience plan and media is essential. Knowing who is talking about monitoring during a data breach. With cyber you, the press you’re receiving, and the attacks hitting companies globally, out of hours, sentiment of that press, can make all the in a different time zone to HQ, or focused on a difference in the outcome of your specific regional part of a business, the reach of recovery process. your media monitoring needs to extend beyond English language news sources. Utilising a media monitoring and reputation management platform, such as Signal A.I., The Signal A.I. platform accurately categorises, can automate the monitoring process and translates and extracts intelligence from over allow you to respond to media coverage in three million media sources a day and surfaces real-time - a must in the modern 24-hour news the relevant information in real-time. You should cycle. The Signal A.I. platform mirrors the invest in a media monitoring tool that provides established workflow of a business, automating you with an invaluable global outlook and head media monitoring, reporting and analysis, to free start when dealing with media fallout during and up time for key stakeholders and spokespeople after a breach. to focus on making informed decisions in the cyber attack recovery process.
SONY A great example of efficient and effective control and containment of a data breach is the 2011 cyber attack on SONY’s PlayStation Network. The data breach is viewed as the worst to hit the gaming community of all-time. It impacted 77 million PlayStation Network accounts, and out of these accounts 12 million had unencrypted credit card numbers. Hackers gained access to full names, passwords, e-mails, home addresses, purchase history, credit card numbers, and PSN/Qriocity logins and passwords. The data breach hit SONY hard, with the website down for a month and estimated losses of $171 million. Despite the financial ramifications of this incident, it serves as a great example of corporate responsibility - knowing how and when to say sorry. IT SERVES AS A GREAT EXAMPLE OF CORPORATE RESPONSIBILITY - KNOWING HOW AND WHEN TO SAY SORRY. Like many companies that experience a data breach and the inevitable backlash that comes from it, SONY’s approach wasn’t without faults and imperfections. However, they knew when to take responsibility as a company, how to apologise, and which spokespeople had to take public liability. In a move that helped to save them from further reputational damage, SONY’s president and two senior executives stepped-up as media facing spokespeople to apologise publicly and accept liability for the data breach. 
AFTER LEARN, EVOLVE AND UNDERSTAND Once the dust has settled and media Communicate coverage has slowed, it’s time to learn from the YOU NEED TO experience, evolve so it is less likely to happen There also needs to be continuing and clear, again, and understand why it happened to you in the first place. key messaging about the breach in the aftermath. Companies’ need to proactively ASSESS WHAT YOU provide information on any ongoing Learn and Evolve investigations, the results of these, and further CAN DO TO CHANGE actions they are taking to ensure the data There isn’t a definitive step-by-step process to follow in the aftermath of a data breach. they hold is more secure. THE REPUTATION & But once you’ve managed to withstand the With the implementation of GDPR in Europe initial cyber attack, you need to go back and other data protection laws across the PUBLIC PERCEPTION to the drawing board with the rare opportunity globe, including the US Federal Trade to shape and improve your processes. All of the following need to happen simultaneously Commission Act, consumers are more acutely aware of their rights. They have a better and OF YOUR COMPANY. for a business to truly come out of a serious more informed understanding of how data data breach the better for it. protection and security works, the value of Understand their information, and the consequences for You need to re-prep and plan for next time. businesses that do not comply. As a result, In tandem with the above actions, as a business And don’t be complacent as there may very it’s absolutely necessary for you to not shy you need to define why you were the target for well be a next time. This involves evaluating away from it, the press and your customers a cyber attack. This can be for a multitude of what in your current strategy to manage an certainly won’t. reasons, but defining why you were targeted unpredictable cyber attack did and didn’t work. will be invaluable information to possess in the learning and re-planning process. And again, it is You need to question everything the business did in reaction. Did you monitor the media THERE NEEDS TO an opportunity to realign and direct the company in a different direction. being produced about you adequately enough to provide real-time, useful updates? Can BE CONTINUING Businesses are either randomly targeted or you confidently claim that you effectively chosen due to obvious (to cyber attackers) contained the damage through both reactive and proactive measures? Was your messaging & CLEAR KEY security flaws or for reputational reasons. In the case of Ahsley Madison, the extra-marital dating site, it’s no surprise that it was reputation driven. about the data breach clear and informed? An outside mediator, moderator, or security MESSAGING ABOUT If you determine that you were targeted because provider may be necessary for this process as of the latter, you need to assess what you can do objectivity is hard to maintain. THE BREACH IN to change your reputation and public perception of your company. THE AFTERMATH.
ASHLEY MADISON Reputation is everything, especially when and chief technology officer of the company yours attracts “vigilante” hacking groups. in April 2017, made a point to publicise the security measures they implemented following Ashley Madison, or The Ashley Madison the breach: two factor authentication, a bug Agency under the parent company Ruby Corp, bounty program, adherence to the NIST suffered a massive security breach in 2015 cybersecurity standards, a no-third party policy that exposed over 300 GB of user data. This when it comes to user’s information, and included users’ real names, banking data, new chief information and security officers. credit card transactions, and secret sexual “Security and discretion” were described fantasies. among Buell’s key focuses for 2018. The vigilante hacking group, ‘The Impact Team’, demanded a ransom for Ashley Madison’s user’s data, as a punishment for the company not keeping the data secure. This “ASHLEY’S CORE wasn’t paid and the ramifications of the data breach were far reaching, impacting both the DIFFERENTIATOR business and its users, leading to numerous “[r]esignations, divorces and suicides.”  IS DISCRETION.” According to the Federal Trade Commission RUBEN BUELL, (FTC) complaint post-hack, Ashley Madison FORMER PRESIDENT & CTO, “had no written information security policy, no reasonable access controls, inadequate RUBY (ASHLEY MADISON) security training of employees, no knowledge of whether third-party service providers were This seems to have worked; by gradually using reasonable security measures, and rebuilding their reputation and focussing no measures to monitor the effectiveness their efforts on regaining public trust they are of their system security.”  Part of the FTC reported to have “191,000 daily active users settlement required that the company add (defined as members who have exchanged “a comprehensive data-security program, messages) and 1.4 million new connections including third-party assessments.” made each month.”  In the years since the cyber attack, Ashley Whether you agree with the platform or Madison have been quietly recuperating and not, their bounceback after the data breach evolving. They have by no means done a and subsequent success says a lot for their perfect job at post-breach recovery, but the recovery and evolution. intention is there. They have defined, and now understand, why they were a target - both reputational and ease of access. Importantly, they have put the groundwork in to repair their damaged business. In a major change, Ashley Madison have realigned their central message. They now exist to help those in loveless/sexless marriages, those going through divorce and illness. Ruben Buell, who became president
If handled incorrectly data breaches can break a company financially, irreparably damage reputation, or have devastating consequences for customers. And they can happen to any business. Curating and Bibliography implementing a communications and PR  British Airways faces record £183m fine for data breach, BBC News (8 July 2019). strategy for managing an unpredictable  Cyber Crisis Management Plan for countering cyber attacks and cyber terrorism, The Chartered Institute of cyber attack is paramount for a businesses’ Procurement & Supply (CIPS), 2018. survival of, and recovery from, a data breach.  MyFitnessPal: Notice of Data Breach, MyFitnessPal (29 March 2018).  Hacked MyFitnessPal Data Goes on Sale on the Dark Web—One Year After the Breach, Fortune (14 February 2019).  620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts, The Register (11 By doing what you can to ensure cyber February 2019). resilience through adequately anticipating,  Sony bosses apologise over theft of data from PlayStation Network, The Guardian (1 May 2011). stoically withstanding, efficiently containing,  Life after the Ashley Madison affair, The Guardian (28 February 2016). effectively recovering, and evolving with  Ashley Madison attempts to regain the public’s trust, engadget.com (29 March 2018). humility, brands can safeguard themselves. And ultimately, and fundamentally more importantly, businesses can protect their customer’s data.
Signal is the A.I. powered media monitoring platform delivering strategic insights that help you make the best possible decisions. For more information email firstname.lastname@example.org or call us on +44 (0) 20 3828 8200 (UK and rest of world) or +1 917 398 5931 (US).
You can also read
NEXT SLIDES ... Cancel