What PR pros should know about cybersecurity

The challenges that organizations face from data breaches and cybercrime fall squarely in the laps of communicators. Here’s what a savvy PR should be advocating for.

Block with Lock Graphic on Computer Keyboard

The data breach crisis has almost become a cliché in the business world.

With organizations hoarding a vast wealth of data on their customers, from credit card information to where you live and what you like, companies are vulnerable to cyberattacks that seek to obtain that information for illicit purposes. Plus, the backlash over a failure to safeguard user data can cause a reputation problem for even the most robust organization.

Just ask Equifax.

Cybersecurity is a problem with which PR pros must be familiar. They must understand the stakes, the risks and the tactics needed to prevent a crisis, not just respond to one. To be truly effective in a modern PR role, they must help leaders make decisions about cybersecurity that will help protect the brand’s reputation.

Kaylin Trychon of Rokk Solutions in Washington, D.C., has made cybersecurity her specialty after working with corporations like Raytheon on security solutions and now is lending her expertise to others in the field.

Trychon says the communication challenges of cybersecurity are twofold.

“I think there’s a challenge of communicating the importance of security,” she says, pointing to the lack of adoption of basic safety features such as two-factor authentication and other measures. “They really do impact the entire ecosystem—all it takes is one person to click on a link, and there you go.”

However, even more important for the PR pro is to know what to do after your organization has been breached.

“Having a crisis comms plan in place for that is table stakes at this point,” Trychon says. “If you don’t know how you’re gonna navigate something like that, you’re behind the eight ball.  Something that should be your first priority in 2020 is: What is our communication strategy?”

What the strategy looks like

Trychon says step No. 1 is identifying who your crisis response team should talk to, “not only in your security department but in legal and at the very high level.”

She adds: “Most security teams have incident response plans and a playbook. I would suggest that communicators use the playbook that’s already developed and figure out how it maps to what your communication strategy should be. These security professionals know what the threat model is, they know what threats are most likely going to happen, what events are most likely going to target your organization. You can do a lot of prep in advance for that.”

Trychon emphasizes that preparation helps an organization to be transparent.

“I think a lot of times [a crisis plan] isn’t in place. So the response becomes: ‘Oh, we’re getting everything ready,’ which turns into, ‘You’re not being transparent; you’re not telling us; you’re trying to hide it.’” Trychon says it’s important to communicate even when you don’t know all the details so you don’t give the impression of a coverup.

What belongs in your plan

To be effective, your team has to know what is being said about your organization online. “Digital and social media monitoring as a part of it,” says Trychon.

What makes social media listening so important is that this kind of attention to detail can alert you to the problem before the story makes headlines. “Most of this news breaks on social media before it breaks in the headlines,” says Trychon, “so that’s going to be your first identifier that something is coming down the pike.”

Security reporters are also highly active on Twitter, so getting to know these players will help you be prepared and know whom to contact with your side of thee story.

“You’re going to quickly be able to identify what reporters are identifying [your crisis] as a story,” says Trychon, “and you could immediately figure out your media, the people that you need to know, that are already on the trail.”

Your plan should also list the relevant stakeholders that ought to be engaged once you know that a problem has occurred.

“Who in the company do you need to alert?” asks Trychon. She adds that it is also crucial to identify who will be the point of contact for any inbound media requests. “Have somebody who knows that it’s their job is to handle inbound, and figure out who you need to get back to, who you need to talk to, and also who hasn’t come to you yet but is going to come, or you want to come.”

For understanding the media relations side, Trychon identifies three buckets of reporters who will care about your crisis: those who cover your industry for their beat, those who cover data security, and those who cover financial news, like stock moves and investor relations.

The third faction can be a big deal, especially if you are at a publicly traded company, according to Trychon. “Identifying who in your world is going to care about this is really important,” she says, “and you can do that in advance a lot of times.”

She also advises that your media relations strategy include owned channels, such as your social media accounts and website. “If there’s downtime, make sure that you’re communicating that to the public,” she says.

Stress-testing your response

Many organizations take crisis response so seriously that they run simulations to see where a potential weak link might make them vulnerable.

“A lot of organizations do this today,” says Trychon. “They send employees phishing links, test ones to see if they’ll click.” She advises that communicators also be a part of these dry runs and security tests.

“Make it as realistic as possible,” she says. “Take your playbook and practice it, and then you’ll be able to identify the holes.”

What might those holes look like? Trychon has a few suggestions: “How long did it take you to all get together on a call and run through your strategy? Does it take us an hour, 30 minutes, a day? Where do we need to streamline?”

She also says that a good stress test will prepare the team for “audibles” or improvisation. What happens if a crisis hits and your main spokesperson is on vacation?  Who can you bring in? “Practice and practice again,” she advises.

Common mistakes

What are the errors that are made around data breach crises that can exacerbate the situation? Trychon identifies three main gaffes.

“I think one of the biggest mistakes we see is denying that it happened right off the bat,” she says. “If it didn’t happen, it is important to do that, but I think you need to be prepared to have the evidence that backs up your claim.”

She warns that an immediate denial won’t ring true, because there is no way your research team has done the work to double check. “Make sure you say you’re investigating the issue and that it’s really being taken into consideration, because if you deny it and it does come out as true, you have just put so much more work back on your plate,” she says

She also advises against waiting until you have all the information to make a statement.

“It takes time to investigate these breaches to figure out how much damage was actually done and what was done,” she says. “Communicating early and often is the best approach; if you wait too long, sometimes the story gets way out ahead of you, and then people have a hard time knowing what to believe.”

The final mistake she warns about is not taking advantage of the expertise of reporters working on data breach stories.

“It’s a tricky concept, and it’s really technical,” she says. “Make that when you’re on the phone, it’s not just to talk about this incident, but you know, really educate on what your ecosystem looks like and make sure that it’s not just cut and dried.”

COMMENT

3 Responses to “What PR pros should know about cybersecurity”

    Ronald N. Levy says:

    “Preparation,” says astute Kaylin Trychon of Rokk Solutions, “helps an organization be transparent.” It calls to mind the Coast Guard lyrics: “Semper Paratus is our song, on land and on the sea.”

    Preparation can also help an organization to avoid being overly transparent which could make the organization sound guilty as hell when it isn’t. If it was in fact guilty, a commonly expressed idea is that “it will all come out eventually” so it makes sense for you to tell it all right away.

    Don’t believe this!

    First, it may NOT all come out eventually which is why many defense lawyers put in a defense case instead of pleading guilty.

    Second, your company’s law firm may advise your top management if you have admitted guilt and provided details when you didn’t have to,” “Fire that big-mouthed bastard!”

    Third, if a bad truth does eventually come out, your skilled PR may at that time show the media extenuating circumstances, plus show how the company has stepped in voluntarily and done a LOT to mitigate the situation, plus make clear what has been done to prevent recurrence so there’s less likelihood of extreme and excessive regulation (possibly damaging!) to prevent recurrence.

    Fourth, once you have time to gather more facts, your PR may be able to show “it was them, not us.” The problem was associated with a small number of people (“associated with” not “caused by”) who violated management’s orders and who are now GONE and not coming back. So there may be sense in not over-reacting by blaming the whole organization of hard working people, over 99.9% of whom had nothing to do with the problem and who work every day to serve the public.

    Fifth, people in truth have no obligation to leave the shades up in the bedroom even when there’s nothing to hide, nor to tell everything we think we may know at a time when we obviously don’t know everything.

    Even Supreme Court decisions, as in the landmark Brown vs. Board of Education case, are for things to be done “with all deliberate speed,” not in haste nor done yesterday nor done so soon that they can’t be done right.

    The chorus of the Coast Guard song shows us peril: ”Semper Paratus is our guide, our fame our glory too” and then what we should remember, “to fight to save or fight and die!”

    Rokk and other Washington PR firms may save a company from disaster, and almost every major company should have Washngton PR guidance on retainer. Otherwise in deciding how much transparency is enough and how much is too much, a short-of-time company may feel itself between a Rokk and a hard place with no time get help from either.

PR Daily News Feed

Sign up to receive the latest articles from PR Daily directly in your inbox.