The data breach crisis has almost become a cliché in the business world.
With organizations hoarding a vast wealth of data on their customers, from credit card information to where you live and what you like, companies are vulnerable to cyberattacks that seek to obtain that information for illicit purposes. Plus, the backlash over a failure to safeguard user data can cause a reputation problem for even the most robust organization.
Just ask Equifax.
Cybersecurity is a problem with which PR pros must be familiar. They must understand the stakes, the risks and the tactics needed to prevent a crisis, not just respond to one. To be truly effective in a modern PR role, they must help leaders make decisions about cybersecurity that will help protect the brand’s reputation.
Kaylin Trychon of Rokk Solutions in Washington, D.C., has made cybersecurity her specialty after working with corporations like Raytheon on security solutions and now is lending her expertise to others in the field.
Trychon says the communication challenges of cybersecurity are twofold.
“I think there’s a challenge of communicating the importance of security,” she says, pointing to the lack of adoption of basic safety features such as two-factor authentication and other measures. “They really do impact the entire ecosystem—all it takes is one person to click on a link, and there you go.”
However, even more important for the PR pro is to know what to do after your organization has been breached.
“Having a crisis comms plan in place for that is table stakes at this point,” Trychon says. “If you don’t know how you’re gonna navigate something like that, you’re behind the eight ball. Something that should be your first priority in 2020 is: What is our communication strategy?”
What the strategy looks like
Trychon says step No. 1 is identifying who your crisis response team should talk to, “not only in your security department but in legal and at the very high level.”
She adds: “Most security teams have incident response plans and a playbook. I would suggest that communicators use the playbook that’s already developed and figure out how it maps to what your communication strategy should be. These security professionals know what the threat model is, they know what threats are most likely going to happen, what events are most likely going to target your organization. You can do a lot of prep in advance for that.”
Trychon emphasizes that preparation helps an organization to be transparent.
“I think a lot of times [a crisis plan] isn’t in place. So the response becomes: ‘Oh, we’re getting everything ready,’ which turns into, ‘You’re not being transparent; you’re not telling us; you’re trying to hide it.’” Trychon says it’s important to communicate even when you don’t know all the details so you don’t give the impression of a coverup.
What belongs in your plan
To be effective, your team has to know what is being said about your organization online. “Digital and social media monitoring as a part of it,” says Trychon.
What makes social media listening so important is that this kind of attention to detail can alert you to the problem before the story makes headlines. “Most of this news breaks on social media before it breaks in the headlines,” says Trychon, “so that’s going to be your first identifier that something is coming down the pike.”
Security reporters are also highly active on Twitter, so getting to know these players will help you be prepared and know whom to contact with your side of thee story.
“You’re going to quickly be able to identify what reporters are identifying [your crisis] as a story,” says Trychon, “and you could immediately figure out your media, the people that you need to know, that are already on the trail.”
Your plan should also list the relevant stakeholders that ought to be engaged once you know that a problem has occurred.
“Who in the company do you need to alert?” asks Trychon. She adds that it is also crucial to identify who will be the point of contact for any inbound media requests. “Have somebody who knows that it’s their job is to handle inbound, and figure out who you need to get back to, who you need to talk to, and also who hasn’t come to you yet but is going to come, or you want to come.”
For understanding the media relations side, Trychon identifies three buckets of reporters who will care about your crisis: those who cover your industry for their beat, those who cover data security, and those who cover financial news, like stock moves and investor relations.
The third faction can be a big deal, especially if you are at a publicly traded company, according to Trychon. “Identifying who in your world is going to care about this is really important,” she says, “and you can do that in advance a lot of times.”
She also advises that your media relations strategy include owned channels, such as your social media accounts and website. “If there’s downtime, make sure that you’re communicating that to the public,” she says.
Stress-testing your response
Many organizations take crisis response so seriously that they run simulations to see where a potential weak link might make them vulnerable.
“A lot of organizations do this today,” says Trychon. “They send employees phishing links, test ones to see if they’ll click.” She advises that communicators also be a part of these dry runs and security tests.
“Make it as realistic as possible,” she says. “Take your playbook and practice it, and then you’ll be able to identify the holes.”
What might those holes look like? Trychon has a few suggestions: “How long did it take you to all get together on a call and run through your strategy? Does it take us an hour, 30 minutes, a day? Where do we need to streamline?”
She also says that a good stress test will prepare the team for “audibles” or improvisation. What happens if a crisis hits and your main spokesperson is on vacation? Who can you bring in? “Practice and practice again,” she advises.
What are the errors that are made around data breach crises that can exacerbate the situation? Trychon identifies three main gaffes.
“I think one of the biggest mistakes we see is denying that it happened right off the bat,” she says. “If it didn’t happen, it is important to do that, but I think you need to be prepared to have the evidence that backs up your claim.”
She warns that an immediate denial won’t ring true, because there is no way your research team has done the work to double check. “Make sure you say you’re investigating the issue and that it’s really being taken into consideration, because if you deny it and it does come out as true, you have just put so much more work back on your plate,” she says
She also advises against waiting until you have all the information to make a statement.
“It takes time to investigate these breaches to figure out how much damage was actually done and what was done,” she says. “Communicating early and often is the best approach; if you wait too long, sometimes the story gets way out ahead of you, and then people have a hard time knowing what to believe.”
The final mistake she warns about is not taking advantage of the expertise of reporters working on data breach stories.
“It’s a tricky concept, and it’s really technical,” she says. “Make that when you’re on the phone, it’s not just to talk about this incident, but you know, really educate on what your ecosystem looks like and make sure that it’s not just cut and dried.”