In late 2014, hackers accessed sensitive information from the accounts of over 500 million Yahoo users. Information that they obtained included names, email addresses, telephone numbers, security questions with their corresponding answers, dates of birth and encrypted passwords. This is considered one of the biggest cyber security breaches of all time and likely led to billions of dollars in damage. But perhaps the most detrimental aspect of the entire event is how the company handled it. The hack was not publicly disclosed until two years later, in the fall of 2016 - long after the door had closed on the possibility that users could take action to secure their accounts and their sensitive information.
Unfortunately, this problem is only going to become more pressing for today’s business leaders. As Lowell McAdam, CEO of Verizon, said “we all live in an internet world, it’s not a question of if you’re going to get hacked, but when you are going to get hacked.” And we all know that a major security breach that results in the loss of sensitive information is enough to seriously damage the reputation of major companies. For a smaller company, it could be enough to put them out of business permanently.
It’s also unfortunate that if you do a quick search online for past corporate security breaches, you will see list after list of cases that highlight the myriad of ways each company mishandled the breach and potentially led to even more serious consequences. In light of this information, it is a good time to consider the proper way to handle a security breach or cyber threat. And while no company ever wants to hear that they have been compromised, in the event that you do, having an idea of the best way to respond can prove to be a priceless asset.
A good plan for this type of crisis communication is going to be centered on effective and timely communication. If you look at two of the most infamous breaches outside of Yahoo’s, Target in 2013 and eBay in 2014, the common element that led to serious public backlash was a delay in the amount of time before company officials took action and another delay before consumers were alerted to the problem. This is why communication has to take center stage in this type of scenario-from the very first action until long after the threat has been contained.
Some key steps in developing a plan include determining who has responsibility for what and making sure that is communicated company wide. Having this level of accountability in place allows you to active a crisis response much quicker than without it. Once everyone is in place, it is also absolutely imperative to get in front of the information as soon as possible by communicating any steps you are taking and new information you receive directly to the media, the customers and any shareholders. It is vital that you are direct about what is happening and how serious the breach is-this is the only way to ensure that they can also respond in an appropriate manner. And in the end, the company will maintain a reputation of honesty and directness, not to mention conveying respect and placing importance on the customer as well as their information.
Once you have had the opportunity to discuss the extent of the breach and any recommended actions for mitigating the damage, it is also important to apologize and hold anyone accountable if security missteps were made. This process should also be made publicly transparent. And finally, once the threat has passed, continue communicating with your customers on any actions you are taking to ensure that their data will continue to be protected and future attacks prevented. This step is vital in re-establishing trust.
It is strongly encouraged that all companies actively monitor and have a crisis plan in place for a security breach. The way we conduct business is changing as e-commerce and digital business in general are becoming the leading way transactions occur. But this shift doesn’t change the fact that crisis communication requires transparency and accountability. If done right, a company’s reputation may still come out unscathed. As Seth Godin writes, “Change is not a threat, it’s an opportunity. Survival is not the goal, transformative success is.”