As 2015 kicks off, Sony is still reeling over what some are calling the most extensive cyberattack ever. It’s estimated that over 100 terabytes of data were stolen and the company’s been reduced to communicating through the BlackBerry devices someone dug up from the basement. Michael Lynton, the CEO of Sony Entertainment, told The Wall Street Journal and the New York Times that Sony implemented a “phone tree,” (translation for those who haven’t had kids in middle school: updates relayed from person-to-person) via mobile devices, employees’ personal Gmail accounts, notepads and those old BlackBerry devices.
And they weren’t alone. Cyberattacks have been launched at US banks, Target and Staples. And there’s every reason to expect them to escalate in 2015. According to a ZDNet interview with Greg Day, CTO of the security firm FireEye, “….these situations are likely to deepen and worsen … into 2015.” The piece goes on to say, “FireEye believes that a lack of adequate response could result in a major brand going out of business in 2015…Breaches are an inevitable part of modern day business, but damage control is possible…”
Let’s hope that a part of that “damage control” is pre-planning how a company’s going to communicate about a breach. In our experience, many of these breaches go unreported – to authorities, to victims and to the public. Why? Because victims worry that falling prey to a cyberattack makes them appear weak; that it shakes consumer confidence and that it positions them as being vulnerable to another violation. For that reason, the first step in pre-planning a crisis response to a cyberattack has to be to develop scenarios for both a pro-active or reactive responses.
In a pro-active response, you’re blasting information that gets you ahead of the story. You’re using earned media (public relations), owned media (your site and social media) and paid media (advertising). The content (to some extent), the vehicles and the resources can be lined up ahead of time so all it takes for a timely response is to fill in the information and pull the trigger. In other words, you tell it before others have the chance to shape it.
You can do the same with a reactive-only response. You create the “bones” of a reactive statement, filling in the relevant facts when needed, but you respond only to a specific request from a reporter, blogger or consumer. Being in a reactive-only mode overcomes management’s concerns that your own communications alert the world to the breach – a breach they may or may not suffer from and a concern they may not have had before they heard from you.
By pre-planning both responses, it frees you up to make the decision about which response is most appropriate. Getting out ahead of a story does gives you the first shot at shaping consumers’ perceptions. But it does raise concerns that some managers may not want initially brought to light. In reactive mode, you only respond when asked, but this does make you a “follower” versus a “leader” in the way the story is told. There are pluses and minuses to both approaches and there’s no recipe for success that works in all situations. It’s always a reasoned, game-time decision.
In some cases, the choice is not yours to make. In certain kinds of breaches, there are laws and guidelines about alerting victims within a set period of time. For that reason, we urge you to consult with an attorney experienced in this area before making any decisions on your communications strategy.
No matter what approach you choose, pre-planning can offer one small island in a tumultuous sea of stress after a cyberattack. Cyberattacks are one of the few crimes where people blame the victim. For that reason, it’s likely you’ll be inclined to focus all of your resources on fixing the problem and overlook the immediate need to communicate with the real victims – your customers and employees. Don’t forget that while you fixing the problem, going silent about it can and will make the long-term damage to your brand more significant and recovery all the more challenging.